The present invention relates to a program editing method for protecting a program that controls a resource and for preventing the program from being called by a malevolent program.
Java has a unique programming environment that permits a plurality of programs to be loaded into and executed by a single Java VM. Therefore, a mechanism is required to prevent a program that controls certain resources and that must be protected (hereinafter referred to as a program A) from being called by a malevolent program (hereinafter referred to as a program M). The program A for which protection is required is, for example, a system class group (e.g., java.io.FilelnputStream) for accessing a local file, a class for managing privacy information relating to a user, or a class that has the authority to call a system class when a signature is provided for the program A.
Generally, the following two methods are employed as means for hiding a program A from a program M during its execution. The first method is a method for separating a class loader when the program A and the program M are separate applications. All Java code is constituted by a class file for each class unit, and when a class is requested, it is dynamically loaded by the class loader. The class loader examines the principle of the pertinent class to determine whether or not it should be loaded.
The second method is a method by which a stack inspection is performed to test the principle of the program M if the program A is a system class. However, according to the method for separating class loaders, if the program A and the program M are placed on the same web page (in the same directory), the program M can employ the class loader provided for the program A, so that any limitations imposed on access are nullified. According to the method for conducting a stack inspection, a stack inspection can not be performed for a program A having a signature that provides the authority necessary for an access, or a class that is loaded from a local file.
The means (static access control) for protecting a program A before the execution is, for example, a method for employing a name scope to limit an access. The name scope is what is declared by a field or a method to define the visibility of a field or a method. In accordance with the declared name, references (accesses) by another program can be controlled. For example, the xe2x80x9cprivatexe2x80x9d scope can not be directly referred to by other programs, while the xe2x80x9cpublicxe2x80x9d scope can. Further, the xe2x80x9cpackagexe2x80x9d scope can not be referred to by programs outside the package of the field and the method for which the package scope is declared.
When the name scope is to be employed, it is guaranteed that a field or a method that is declared private will not be directly accessed by another program. Therefore, when a program A is declared to be private, accesses by the program M can be prevented. However, so long as a program consists of a plurality of classes and interaction among these classes is present, not all the fields and methods can be declared private, and the scope of some of the fields and methods must be the package scope or a higher scope (protected or public).
In accordance with Java programs up to JDK 1.2.1, an arbitrary program M can freely declare its package as constituting the package scope (it should be noted that a package name should fall within the effective name range for the package). Therefore, a so-called xe2x80x9cPackage Joining Attackxe2x80x9d occurs when a program M declares its package using the same name as is used by a program A, and joins the package of the program A. That is, while the names of the methods and fields in different packages can be prevented from erroneously colliding with each other, for security, it can not be used as an access control mechanism.
Since the One-Package-One-Principal Policy, according to which only one signatory is allocated for one package is employed in the JDK 1.2.2, a program M without a signature can not join the same package as a program A which has a signature. Therefore, in the signed program, the field or the method that is declared as a package is not accessed by a malevolent program. Thus, for security, the package scope can function to limit access.
As is described above, a static access control means that employs a name scope can effectively function as a Java mechanism for preventing a program A, which controls a resource and which must be protected, from being called by a malevolent program M. However, for security, this mechanism only works when the program A is declared to be private, or when the signed program A is declared to be a package. Thus, security is still not provided for the class, the fields or the methods with the protected scope or the public scope.
Most non-trivial Java programs consist of a plurality of packages, and for interaction among the packages, some of the classes, the fields or the methods must be declared as being public. Therefore, in such a program, access control using the private scope or the package scope can not be effectively utilized.
It is, therefore, one object of the present invention to edit a Java program by effectively utilizing the access control using a name scope, so that a program that controls a resource and is to be protected can be prevented from being called by a malevolent program.
It is another object of the present invention to edit a program written in a programming language that implements an access control process based on the same concept as the package scope of Java, so that a program that controls a resource and is to be protected can be prevented from being called by a malevolent program.
To achieve the above objects, in accordance with the present invention a method is provided for editing a program written in an object oriented programming language that satisfies two conditions, a condition according to which a program includes the concept of a package that controls visibility of local names, and a condition according to which a program includes an access control system for obtaining an access authority based on xe2x80x9cprincipal (identity of person or entity that developed or deployed the program)xe2x80x9d information provided to specify the references of an access requester, the method comprising: a package name replacement step of replacing package names allocated for a plurality of classes that constitute an application program having a single package name; a data attribute change step of changing an attribute of internal fields of the classes that are not referred to by a source outside the application program, so as to accept an access request for a reference from the same package; and an access authority provision step of providing an access authority that is based on the principal information for the application program that has been processed at the package name replacement step and the data attribute change step. With this arrangement, except for a method or a variable among the system classes that is externally referred to, the fields in the package can not be accessed by a program without the same access authority as the application program. Since the one-package-one-principal policy is employed, the fields can not be accessed by a requestor outside the application program, and external illegal accesses can be prevented.
The program editing method further comprises: a class name changing step of changing the class name of a specific class of the application program when as a result of the package name replacement step the specific class has a name collision. This arrangement is preferable because single packaging of the application program can be performed even when a class having the same class name is present in a different package.
At the class name changing step, in order to change the class name of the specific class, a new class name is generated by using a character string that is employed for the package name of the package, before the package is changed at the package name replacement step, to which the specific class belongs. This arrangement is preferable because to avoid a collision a new class name can be mechanically generated. A method for replacing dots in a package name with underscores (underlining) and using the underscores can be employed to generate a new class name using the character string employed for the package name. Further, in order to completely avoid a collision, a new class name may be provided by adding a character string that does not yet appear in any of the class names.
The program editing method further can include a step of: mechanically changing class names in the application to unique class names that do mutually not overlap without detecting whether one class name overlaps another as a result of a change in the package name. A method for allocating a serial number to each class can be employed to change the class names.
According to the present invention, the following single packaging system can be provided for the single packaging of a Java program. Specifically, a single packaging system comprises: input means for entering a Java program consisting of a plurality of classes; package name replacement means for replacing, with a single package name, package names of packages to which the classes of the Java program entered by the input means belong; name scope changing means for changing, to package scopes, name scopes of internal fields in the classes that are not to be referred to by sources outside the Java program; and output means for outputting the obtained Java program through the package name replacement and the name scope change. With this arrangement, an external access to the fields of the application program that is to be referred to only by the application program is not accepted. Therefore, when the program is digitally signed and the one-package-one-principal policy is employed, an access by a source outside the program is not accepted for the message and the variable described above, and an illegal external access can be prevented.
Therefore, the single packaging system further comprises: digital signing means for digitally signing the program obtained through the package name replacement and the name scope change.
The single packaging system can further include: name list preparation means for preparing a name list for the class names and the name scopes of the internal fields in the classes; name collision avoiding means for examining the name list, prepared by the name list preparation means, to find class names that are the same as the result of the package name replacement performed by the package name replacement means, and for changing the same class names in the name list in order to avoid the overlapping of the class names, and the name scope changing means refers to the name list to change the name scopes, and replaces class names with class names to avoid collision. This arrangement is preferable because the program can be formed into a single package even when a class having the same class name exists in a different package in the program before being single packaged.
According to the present invention, a Java program development system comprises: package name replacement means for replacing, with a single package name, package names of packages to which classes that constitute the program belong; name scope changing means for changing, to package scopes, name scopes of internal fields in the classes that are not to be referred to by sources outside the application program; and digital signing means for digitally signing the program obtained through the package name replacement and the name scope changing. This arrangement is preferable because the program that is prepared at the final step of the Java program development can be formed into a single package and digitally signed.
The Java program development system further comprises: name list preparation means for preparing a name list for the class names and the name scopes of the internal fields in the classes; name collision avoiding means for examining the name list, prepared by the name list preparation means, to find class names that are the same as the result of the package name replacement performed by the package name replacement means, and for changing the same class names in the name list in order to avoid the overlapping of class names; and the name scope changing means refers to the name list to change the name scopes, and replaces class names with class names to avoid collision. This arrangement is preferable because the program can be formed into a single package even when a class having the same class name exists in a different package in the program before being single packaged.
According to the present invention, the following principal information addition system for adding principal information to a program can be provided. A principal information addition system comprises: input means for entering an application program that has as a concept a package that controls visibility of local names, and that consists of one or more classes that belong to predetermined packages; package name replacement means, for replacing, with a single package name, package names of packages to which the classes of the application program entered by the input means belong; data attribute change means, for changing an attribute of internal fields of the classes that are not referred to by sources outside of the application program, so as to permit an access for a reference in the same package; and principal information addition means, for adding principal information for specifying a reference of an access requesting principal to the application program obtained through the package name replacement and the data attribute change, and for controlling access based on the principal information; and output means, for outputting the application program including the principal information. This arrangement is preferable because the application program can be formed into a single package at the same time, when the principal information is added to the program.
A digital signature can be employed for the principal information to be added by the principal information addition system. This is preferable because the present invention can be applied for a conventional access control system that obtains the access authority based on a digital signature.
According to the present invention, an editing program, which permits a computer to edit the program that is written in an object oriented programming language, based on a concept of a package that controls visibility of local names comprises: a package name replacement process, for replacing, with a single package name, package names of packages to which classes that constitute an application program belong; and a data attribute change process, for changing an attribute of internal fields of the classes that are not referred to by sources outside the application program, so as to accept an access for a reference in the same package. The editing program further comprises: a class name changing process for changing the class name of a specific class of the application program when as a result of the package name replacement process the specific class has the same class name as another class. This arrangement is preferable because single packaging of the application program can be performed even when a class having the same class name is present in a different package.
According to the present invention, a storage medium is provided on which input means of the computer stores a computer-readable program, which permits the computer to perform: a process for replacing, with a single package name, package names of packages to which classes that constitute a Java application program belong; and a process for changing, to package scopes, name scopes of internal fields in the classes that are not to be referred to by sources outside the Java application program. This arrangement is preferable because all the computers that have installed this computer-readable program can perform single packaging for the Java program.
For the storage medium, the computer-readable program permits the computer to further perform: a class name changing process for changing the class name of a specific class of the application program when as a result of the package name replacement process the specific class has the same class name as another class.
According to the present invention, a program transmission system comprises: storage means for storing a program that permits a computer to perform a process for replacing, with a single package name, package names of packages to which classes that constitute a program belong, and a process for changing, to package scopes, name scopes of internal fields in the classes that are not to be referred to by sources outside the application program; and transmission means for reading the program from the storage means and transmitting the program. This arrangement is preferable because all the computers that have downloaded this program can perform single packaging of the Java program.
For the program transmission apparatus, the program permits the computer to further perform: a class name changing process for changing the class name of a specific class of the application program when as a result of the package name replacement process the specific class has the same class name as another class.