In an open digital communication system connecting physically and organisationally distributed, independent entities, this invention is related to methods for the protection of resources residing in or owned by these entities. Since, in such an open system, any entity can in principle access any resource of any other entity, protection of resources is of ultimate importance to warrant integrity and function of an entity. A current example for such a system is the Internet with its distributed processing stations, servers and end-user computers, which provide and own the resources, e.g. data or program files. The present invention concerns the intelligent protection of such resources, in particular against unauthorized access.
Resource sharing is a well-known concept in many areas: by sharing a scarce, expensive, or seldom used resource, the burden of maintaining this resource is distributed among a group of users. Hand in hand with the desire to share a resource goes the desire to protect the resource from unauthorized use: Resource sharing usually implies resource protection. Not surprisingly, resource sharing and resource protection are key issues of distributed, networked computers. The more computers become ubiquitous and connected, the more the need arises to have means of protecting resources in these connected systems. This requirement is especially true for open networks like the Internet. In such an open, distributed, networked system, it is unavoidable to protect specific resources from unauthorized access, such as sensitive data like password files and private materials, or hardware resources like file system space and communication capacity, or services like cryptographic services. Protecting here means both the basic access to the resource itself and the use of it by an accessing entity; that is, both coarse-grained resource protection (e.g. an entity is allowed to use file system services) and fine-grained resource protection (e.g. an entity is allowed to use file system services, but cannot access password files).
Current approaches to resource protection in distributed systems rely in most cases on authentication-based schemes that require more or less extensive changes at the service- providing entity. xe2x80x9cKerberosxe2x80x9d for example, as described by J. G. Steiner, B. C. Neuman, and J. I. Schiller in xe2x80x9cKerberos: An authentication service for open network systemsxe2x80x9d in Usenix Conference Proceedings, Usenix, February 1988, requires encrypted tickets to be sent along with each service request. After having authenticated herself/himself with a special and trusted ticket granting service, the user can request Kerberos tickets for any other service he/she is entitled to use and wants to invoke. Though rather safe, this is a burdensome, time-consuming, and traffic-increasing way to achieve the desired goal of resource protection. More specifically, the Kerberos approach to resource protection suffers from the drawbacks both that it is not transparent (in the sense that it visible) to the service-providing entities and that it is a discretionary mechanism in the sense that the called entity itself has to check explicitly for a valid ticket from the calling entity. The code implementing the entity must contain calls to respective libraries; an entity that xe2x80x9cforgetsxe2x80x9d to check for a valid ticket will provide access to its resource to any caller. Furthermore, once an attacker compromises the central ticket granting service, he/she also has access to all entities that participate in the associated distributed system.
Another solution for the resource protection task was presented by D. B. Clifton in U.S. Pat. No. 5,469,556, entitled xe2x80x9cResource access security system for controlling access to resources of a data processing systemxe2x80x9d, issued November 1995. Clifton introduces special objects, so-called descriptors, for addressing resources such as memory addresses in hardware. Attached to each descriptor is a set of tables that controls access to a particular resource. Essentially, this descriptor forms a virtual address of the resource (cf. column 3, lines 34-37 of the Clifton patent), and as such establishes a fine-grained access control for resources in a system.
Although Clifton""s approach to resource protection does not suffer from the central vulnerability as Kerberos does, this immunity also represents one of its disadvantages. Clifton""s approach is not applicable to distributed systems as it is tied to the memory address translation mechanismxe2x80x94and thus to a single address spacexe2x80x94through the use of its descriptors. A distributed system, however, practically by definition comprises several address spaces connected by some kind of communication medium. In addition, Clifton""s solution is also not transparent, the user must use the special descriptors and thus has to code his/her programs accordingly.
Furthermore, both the Kerberos and the Clifton approaches cannot deal with resources that appear dynamically during the runtime of the system (and after the resource protection mechanism has been set up). In an environment where entities can immigrate into a distributed system from the outside (e.g. a Java applet coming in from the Internet) exist dynamically created resources and it is necessary to offer protection for these resources, too.
Thus, it is the main object of the invention to establish a resource protection mechanism that is applicable to dynamic distributed systems. A further object is to create a resource protection mechanism that is transparent to a program and/or entity that wants to access the resources to be protected. A still further object of the invention is to devise a method for resource protection that is dynamically expandable, preferably during runtime, to protect newly created resources.
Resources to be protected against unauthorized access in a distributed system are usually owned or provided by entities, e.g. servers or other processing stations. Although, in principle, in an open, distributed system, each entity is allowed to access any resource of any other entity, as discussed above, security requires to protect certain resources and to allow access to them only for certain entities and/or under certain conditions.
Resources may be disk space, files, network connections, but also methods offered by objects and objects themselves. Access to such resources in a distributed system occurs through services or methods, provided by entities or objects. The inventive concept starts from the idea to reduce the access to a resource to the access to a service. To invoke or use a service, the names of both the entity owning or providing the service and of the service itself must be known. To actually access a service, a mapping of its name to its location is obtained, i.e. the name is resolved. The total of the names that an entity xe2x80x9cknowsxe2x80x9d form the name space of that entity; similarly, the total of the entity locations of a system constitute the entity location space of that system.
The underlying basic concept of the invention thus consists in controlling an entity""s access to a service by controlling the name resolution process, e.g. by limiting the visibility of services for this entity. A further feature of the invention consists in providing a variable-grained control of the name space and of the name resolution process, e.g. by executing this control by an xe2x80x9cintelligentxe2x80x9d interception manager. An independent main feature of the invention consists in providing attachable and detachable xe2x80x9cguardsxe2x80x9d which are associated with a name and called before or after this name is used and provide for fine-grained resource protection.
By using one or more of the features above, a dynamically configurable protection domain is created, meaning a controlled and confined environment, i.e. a dynamically configurable xe2x80x9csandboxxe2x80x9d, in which entities can operate freely. Effects of any malicious behavior are restricted to the sandbox and thus cannot propagate to the rest of the system. One can also provide tightly controlled entry and exit points to and from such a sandbox, and, in particular, fine-tune its shape and size dynamically.