The present disclosure relates to security for software that runs in a computing system, such as security for software applications that run in a cross-platform runtime environment of a computing platform.
Many approaches to managing software that is run in computing systems have been developed, and in particular, various approaches have been taken to help prevent malicious software from being installed or run on a computer. The need to trust software is particularly important where software runs as a desktop application that has power over a computer. For instance, software running locally on a machine may have the power to perform actions such as changing the state of the machine, changing or accessing data, and deleting files. Among other concerns is whether such software will cause harm to a computer or compromise user data.
To identify software as trusted, WINDOWS® based computer platforms often enable the use of certificates. Certificates are electronic documents that incorporate a digital signature to bind together a public key with an identity. For instance, a public key certificate can be used to verify that a public key belongs to an individual. Typical certificates include self-signed certificates, which contain a public key and a signature of that public key by a private key that corresponds to the public key, and chained certificates, which depend on a third party entity to confirm the identity of an entity. Certificates can be checked at install time, and various notifications regarding the software application can be provided to the user, based on the certificate, at the time of installation, to help the user in determining whether or not to proceed with the installation. Additionally, any applications having a certificate that chains to a valid certificate can be considered legitimate.
When a software program (such as a plug-in to a Web browser) is downloaded from the Internet, the software program may be associated with a certificate. In such a case, the Web browser provides information from the digital certificate (e.g., the name of the of application and the identity of the entity that signed the application using the certificate) along with a notice regarding the risks of trusting the information and the program, in order to help the user in safe guarding their computer from potentially malicious programs. For example, if the digital certificate is a self-signed certificate, the Web browser will notify the user of the increased risk of installing such software, as opposed to software that has been signed by a certificate that is co-signed by a recognized certificate authority.
Other mechanisms for preventing the operation of harmful software on a computer include commercially available software products providing anti-spyware and anti-virus features designed to maintain computer security. These software products typically scan files (e.g., executable files) for know bit patterns to identify viruses, Trojan horses, worms, etc. The scanning is typically performed periodically for software and data stored on a computer, and for network communications at the time of sending or receiving. Such programs can also be set up to automatically scan software at the point of installation. Moreover, such programs have also included functionality to verify trusted Web sites and block fake Web sites.