This invention relates generally to the field of secure computing environments, and more particularly to a security framework to dynamically wrap applications in a computing environment without requiring modification to an underlying operating system or the application itself, thereby limiting the amount of potential damage that a successful attacker or corrupt application can cause.
A portion of this patent document contains material that is subject to copyright protection. The copyright owners have no objection to the facsimile reproduction of the material by anyone, as it appears in the Patent and Trademark Office, patent files or records, but otherwise reserve all copyrights whatsoever.
There are many challenges to creating a highly secure computing environment such as preventing eavesdroppers from accessing private communications, preventing vandals from tampering with information while in transit from sender to receiver, verifying a network server is indeed the server it professes to be, safeguarding confidential documents from unauthorized individuals and correctly authenticating users who are attempting to access a network. One of the more difficult challenges is trying to limit the damage that an unauthorized individual can cause in the event that the individual is able to bypass the security mechanisms. Similarly, another difficult challenge is limiting the damage that malicious software can cause in the event that malicious software is accidentally executed by a computing system.
One conventional technique for limiting such damage has been to link special security libraries with each software application that will be executed by the computing system. The libraries prevent any corrupt software application from accessing system resources that would otherwise not normally be accessed via the software application. This approach has been discussed for TCP/IP applications where the SOCKS library is linked with each application. (Leech, M. et al., RFC 1928: SOCKS Protocol Version Mar. 5, 1996). This approach is impractical in that it requires customization of each software application and can be bypassed by making operating system calls that do not invoke the library.
Another approach has been to xe2x80x9cwrapxe2x80x9d an application with a protective layer of software. For example, wrappers have been developed that make use of an operating system""s debug functionality. (Goldberg, I. et al., xe2x80x9cA Secure Environment for Untrusted Helper Applications,xe2x80x9d Proceedings of the 6th USENIX Security Symposium, July, 1996). This approach, however, requires running the operating system in debug mode which is impractical in that it significantly affects the performance of the system and introduces additional vulnerabilities.
For these reasons, and for other reasons stated below which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for a security mechanism that limits the amount of potential damage that a successful attacker or corrupt program can cause. Furthermore, there is a need for such a security mechanism that does not require using debug mode, additional hardware, or modification to the individual software applications or the underlying operating system.
An inventive security framework provides a mechanism for dynamically wrapping standard, commercially available software applications in order to limit the amount of potential damage that a successful attacker or corrupt program can cause. In one aspect, the invention is a computerized method in which one or more security modules are loaded into an operating system that is executing on a computing system. The security module includes security information that can be application-specific or resource-specific. System calls from an application executing on the computing system are intercepted and subsequently processed by the security modules as a function of the security information.
In another aspect, the security framework includes one or more security modules that are loaded within an operating system of a computing system. Each security module includes security information that can be application-specific or resource-specific. A security master executing within the operating system intercepts system calls from the software applications and invokes one or more security modules to process the system call as a function of the security information. The security framework further includes a security manager that is communicatively coupled to the security master. The security manager commands the security master to configure the security modules as a function of input from a user. For example, via the security manager, the user is able to install and remove the security modules.