1. Field of the Invention
The present invention relates to computer mechanisms for safely executing software which has been obtained over a network or other means.
2. Related Art
In order to increase the utility of networked computers, methods have been sought to allow them to execute programs obtained from servers. The primary advantage of such a system from the user's view point is that it decreases the amount of software that must be stored on the user's computer. From the software developers viewpoint, the system has a number of advantages, a main one being that the program provider has greater control over the distribution of the programs. The use of downloadable executable programs such as Sun Microsystems' embedded Java Applets in World Wide Web documents is a popular example of such a system.
A significant concern with this approach is that the software obtained from the server may be malicious and damage the user's computer or steal data (see McGraw & Felten.sup.3, pages 28-33). Downloaded software must therefore be executed in a controlled environment in which they are given only the system resources that they need and no more.
A main problem with the current Java security mechanism is that it is not flexible enough. A single Java program can be an Applet, or an application (more general programs written in the Java language), or both. All Java Applets are considered hostile and are not allowed to access most resources on the user machine's operating system (see McGraw & Felten, pages 54-55; and Flanagan.sup.15, pages 211-213). Alternatively, Java applications are considered completely trustworthy and may fully exploit any and all of the system resources.
Designing flexible security policies in the Java Application Environment (JAE) is limited by the design of allowing only a single System SecurityManager to be set during an instantiation of the JVM (see Chan & Lee', page 1188). This limitation restricts the JVM to a single system-wide security policy, though it can be customized somewhat through the use of Access Control Lists (ACL's). Although the JAE now allows more than one SecurityManager to be created, the need remains for an improved method and flexible structure which supports multiple security policies in a single instance of the JVM. The present invention addresses such a need.
A number of computer operating system use capabilities to control access to system resources. A capability is a permission held by a process to perform some action on another object or resource. Notable operating systems that use capabilities for enforcing security are CMU Hydra OS.sup.4, Amoeba.sup.11 and Mach.sup.12. Notable computers with such capabilities include the Burroughs 5700/6700.sup.5, IBM System 38.sup.6, Cambridge Capability Computer.sup.7,8, and the Intel 432.sup.9, among others.sup.10. A problem with this approach is that once a process obtains a capability, it has unrestricted permission to perform actions on the object or resource. By themselves, capabilities do not permit selective constraints on access to objects and resources based on their current operating context. That is, capabilities illicitly or surreptitiously obtained will allow access to objects and resources which a process should not have access.
In the Java Application Environment, it is currently presumed that system-wide resources are shared by all application code. If more than one application attempts to share a system-wide resource, then there is a potential for conflicts, with the possible effect of obtaining incorrect or incomplete results. The present invention includes features which avoid these conflicts.
A number of computer operating systems create virtual machines (VMs) to give a program the illusion that it has access to all of the systems hardware and/or software features. Notable examples include IBM's VM/SP operating system, and the PC-DOS emulation under IBM's OS/2 and Microsoft's Windows operating systems. These systems primarily attempt to emulate existing computer hardware features, and apply security features as a secondary consideration.