1. Field of the Invention
The present invention relates, in general, to application software, and, more particularly, to software, systems and methods for providing application services with controlled access into privileged processes.
2. Relevant Background
Application software generally refers to a collection of software mechanisms that implement a desired program behavior to manipulate data provided by a user and/or obtained from both internal and external data stores. A software application typically is implemented on top of an operating system (OS) that provides essential functionality for interfacing with computer system hardware and program interaction. A software application typically implements a user interface using devices such as keyboards, mice, microphones, monitors, and the like to communicate data with a user. Examples include word processors, anti-virus programs, spreadsheets, world-wide-web browsers, and the like.
Application software continues to become more complex and interrelated. As computer hardware becomes more powerful, less expensive, and more ubiquitous in electronic devices, application software that operates on this hardware becomes both more complex and more varied. Unlike hardware, however, software mechanisms tend to evolve rapidly to adapt to new environments and provide additional functionality. This leads to a situation in which installed software applications require, or at least benefit from, continued monitoring and maintenance by skilled software professionals familiar with the construction and mechanisms that make up the software. Although the problem is more pronounced in complex software applications such as security software, anti-virus software, and the like, it remains a significant problem even for comparatively simple applications that must augment or modify behavior to remain competitive.
Coincidentally, software reliability is becoming more important. As people rely on software performance for more business and personal activities, the cost of software downtime and poor performance have become more significant. These costs are realized both in terms of money and lost time.
The field of “software application management” encompasses a large number of activities undertaken by a business or other software user throughout the life cycle of a software application. Currently, a business need is identified and a software application that can satisfy that need is sought out. The business user typically purchases not only the application, but also associated services necessary to maintain the application. The business typically traverses the “learning curve” during an initial inefficient stage of application deployment while users become familiar with the features and limitations of the application. Often, once the business enters a phase where the application can be used efficiently, the product is already nearing the end of its life cycle and partial or wholesale upgrades must be considered. For complex applications, the users may never completely traverse the learning curve. Hence, a need exists for more efficient deployment of application software.
A common problem in application management is that the people employed to manage the application's deployment are less familiar with the application's functions, features and behavior than are the people who produced the application. This tends to make the application management task complex for those charged with performing it. Businesses are often forced to employ or contract with information technology (IT) specialists to manage the application deployment process.
Application providers have made many efforts to simplify the process of application management. For example, many applications provide downloadable access to updates and patches. This eases distribution of updates and patches, but essentially places the burden of maintaining an application on the user. The user must determine when an update is required and then find, download, install, configure, and maintain the updated code. Curiously, it is the application provider that is often best positioned to perform some or all of these tasks.
Some recently implemented software systems attempt to implement an application using an application service provider model. In this model application code is executed on a network-connected server in response to requests presented by a client application. The client application serves principally as a user interface to the network and may comprise software such as a web browser or the like. In such systems only a limited amount of code is actually executed on the client machine and this is often code that is not specific to the application at hand. These systems enable centralized deployment of the application code making it easier to monitor, modify and update the code.
While the application service provider model recognizes that applications can be provided as services, it is limited in performance due to the centralized nature of its implementation. By running applications on a central server, the overall system performance is subject to performance bottlenecks in the channel linking the client to the centralized application server as well as the capacity and functionality of the server itself. Moreover, the server is logically distant from the client platform (i.e., the client hardware and operating system) and so may be unable to perform behaviors that would be readily implemented by software executing on the client system. In general, the application service provider model is a limited solution to the challenges of application management and continues to place a significant portion of the application management burden on the end user or IT staff supporting the end user.
It is desirable to install and update software application code so as to provide application services from external application services providers. This enables the application services to be maintained and managed by the external provider with minimal impact on the user of the application services. However, providing such application services typically requires access to privileged processes on the user's computer in order to replace the functions previously performed by IT specialists or the users themselves.
In many computer systems a software application executes within the context of a “process”. A process is the active entity associated with a running program and possesses one or more threads of execution along with some amount of resources such as virtual memory address space. It is common to distinguish between the process, which is an embodiment of a running program, and the program itself. The program itself refers to the files system object (i.e., a file) containing a stored representation of the instructions that determine the computer's execution.
Processes have certain attributes, known as credentials or privileges, that reflect their ability to perform various specialized operations. The credentials reflect the privileges assigned to the entity on whose behalf the process was initiated. The entity may be a person, or may be another software program that has authorization to execute the processes. Privileges are assigned by a system administrator who initially is given administrator rights, which enables the administrator to assign rights to other entities.
Entities are assigned different capabilities or privileges based upon their work requirements, level of trust by the computer system administrator, and the like. Trusted entities are given privileges that allow “privileged processes” running on their behalf to execution various operations that might otherwise be forbidden by the operating system. Privilege levels are given a variety of names such as “user-level” to designate a most restrictive privilege set and “admin-level” to designate a least restrictive privilege set.
Access to privileged processes is carefully guarded by most operating system (OS) software. Computer systems can be disabled and/or destroyed by inappropriate use of privileged processes. For example, in a Windows environment the installation process requires manipulation of registry objects. Addition, deletion, and modification of registry objects can render the computer unable to boot the operating system. For these reasons most privilege mode processes provide carefully limited behavior that is readily checked by system safeguards.
Various software installation systems are available such as InstallShield, Wise Installation System, and Microsoft Setup Toolkit. These systems are generally implemented by a rule-based installation engine executing on the client machine. The rule-based engine implements a set of rules that are expressed in a rule-based instruction file that accompanies the software to be installed. The installation engine has sufficient privileges to manipulate registry entries. The installation engine is invoked by a user who must also have sufficient privileges. The user continuously monitors the progress of the installation process and so can, in theory, prevent undesired modifications to registry objects.
To enable remote provision of application services (e.g., automated or semi-automated installation programs), the user invocation and monitoring of access to privileged processes must be eliminated or minimized. For example, it would be desirable to enable a script running in a web browser, which has only user-level privileges, to update application code involving access to a registry entry. The operating systems prevent user-level entities from performing such an operation. A possible solution is to provide a “generic” interface with less restrictive access to privileged processes. This would be akin to giving the general-purpose web browser admin-level privileges. Such a system would be highly flexible, but very insecure as the operating system could be readily penetrated by unauthorized entities, viruses, and/or programs with bugs.
Remote provision of application services also benefits from having a wide, readily extensible set of privileged processes that can be performed. Unlike conventional rule-based installation programs, a generic agent existing on a client system may need to access any part of a registry file to create, modify and delete entries. A need exists for systems and methods to provide generic, readily extensible mechanisms that are able to access privileged processes without exposing the client system to intentional or inadvertent security risks.