1. Field of the Invention
The present invention relates to a secure software execution mechanism. In particular, it relates to a mechanism appropriate for software circulation.
2. Description of the Related Art
One of the most notable features of the Internet is that it is a truly open environment. Not only is it being constantly extended worldwide, but also no one can fully control or determine who the users are, or what software and contents are distributed through it. These features are in stark contrast to traditional, closed computer environments such as batch, TSS, LAN, or personal systems. Throughout the history of computer systems, the computer environment has almost always been closed, so designers of system software have implicitly assumed a closed environment was the norm. The worldwide spread of the Internet occurred within a relatively short portion of the history of computer system development, so there was little time for designers of system software to fully anticipate the issues that would arise when closed environments became open. Though the environment has drastically opened up, system software whose basic design is based on an assumption of a closed environment is still used. Thus, current computer systems can often be characterized as putting new wine in old bottles.
If a network environment is closed and users cannot access an open network environment such as the Internet, malicious users and the files created by such users are far less likely to exist. Unfortunately, in the Internet environment, this cannot be assumed. Thus, obtaining files, particularly software that includes executable or interpretable code, from the Internet can be a risky activity. One approach now being used to lessen the risk is to use a code-signing technique such as Microsoft's Authenticode. A promising technical approach to solve this problem is to create a ‘sandbox’ and encapsulate risky effects in a limited, controllable environment separate from the users' ordinary environment. This approach has been adopted in many systems, such as Java, SFI, Janus, MAPbox, and SubDomain.
To clarify the concept of secure software circulation, a model for unsecure software circulation, which is a generalization of software distribution as conventionally performed, is first presented. A model for secure software circulation is then presented and explained how it can be used.
(A Model for Unsecure Software Circulation)
Software circulation is the term used hereafter to refer to a generalization of the ‘software distribution’ concept. Software distribution usually means unidirectional, one-time, one-to-many distribution of a software package. By relaxing these properties, that is, by making software distribution multidirectional, multi-time, many-to-many, the concept of software circulation is obtained. Software circulation is composed of four basic operations: encapsulation, transfer, extraction, and execution. For each operation, a graphic representation as shown in FIG. 1 is used.
The ‘encapsulation operation’ shown in FIG. 1(a) is applied to one or more files 110, 120, and 130 and creates an archive file 150 that encapsulate those files. The ‘transfer operation’ of FIG. 1(b) moves an encapsulated file 150 from a source site 162 to a destination site 164. The ‘extraction operation’ of FIG. 1(c) is the inverse of the encapsulation operation: one or more files 110, 120, and 130 are extracted from an archive file 150. Extracted files are stored somewhere in the file system of the site 164 where the operation is performed. File allocation, naming, and access-control setting are performed at that time. In the ‘execution operation’ of FIG. 1(d), an executable program 140 shown as the circle containing a cross is executed. During the execution, files 110, 120, and 130 (the circles without a cross) may be inputted, outputted, or modified.
By combining these operations, typical software circulation scenarios can be represented. FIG. 2 illustrates software distribution. At the sender site 162 (e.g., a distributor of a software package), the files of a software package are encapsulated into an archive file 150. The archive file 150 is transferred from the distributor's site 162 to a receiver (user) site 164. At the user's site 164, the archive file 150 is extracted and stored in the user's file system by file processing or an installation program 140.
FIG. 3 shows a variation of the software distribution of FIG. 2; an extraction and/or installation program 142 are included within the archive file 152. A user who receives that archive file may carry out installation and the like using the program 142 in the archive file 152. This is flexible and convenient, since the distributor can do anything during the installation by describing it in the installation program, even if the user does not have an extraction or installation program.
FIGS. 4 and 5 show iterative styles of software circulation. FIG. 4 models a workflow system. In FIG. 4, programs 144 and 146 at sites 166 and 168 are applied to circulated files 154, 155, and the like, respectively. In FIG. 5, a program 148 included in the circulated file 157 or 158 is executed and this models a mobile agent system.
The presented model in FIGS. 1 through 5 is unsecure in the following aspects:    (1) In the encapsulation operation, a malicious person may lay traps in the archive file; for example, by including files that perform malicious things when executed or that overwrite existing files for malicious purposes when extracted.    (2) During the transfer operation, files may be maliciously interrupted, intercepted, modified, or fabricated.    (3) During the extraction operation, extracted files are stored in the user's file system, their file storage is allocated and named, and their access control is set at that time. These operations are critical for the management of the user's file system, and are quite dangerous if they are not done according to the user's management policy.
From these reasons, this model is called the unsecure software circulation (USC) model.