A software system provides security against unauthorized operations initiated by software code supplied by an untrusted source.
The allowed operations that are associated with the software code are determined. A thinned interface is generated, which permits the software code to call only the allowed operations successfully. The software code is independent of the security environment of the system, and the thinned interface operates in at least one version of the security environment. The software code and the thinned interface are activated within the system.
BACKGROUND OF THE INVENTION
The invention is directed to systems that incorporate instructions supplied by external, non-trusted sources and, more particularly, to dynamic, transparent multi-level security for such systems.
Many systems, such as telephone network products and data communication products, include externally developed software applications requiring calls to various system functions. It is desirable, however, to limit the functions that the application can call to those that are necessary or that are approved by the developer of the application. Therefore, the systems typically include a security model that requires the application to include code that requests authorization and receives permission or denial to carry out the respective function call. As an example, the Java environment includes security devices such as a security manager, a byte code verifier, and a class loader. However, the security devices of a respective environment may be non-backward compatible with earlier versions. For example, in the Java environment, the security devices in version 1.2 are not backward compatible with those in versions 1.1 and 1.0.2, and the security devices in version 1.1 are not backward compatible with those in version 1.0.2. Thus, an application program written in a respective version of Java is not compatible with other versions.
Furthermore, in some programming environments, such as in the Java environment, the security devices provide multi-level security but are not transparent. Namely, the user code must explicitly interact with the system, and the security devices are not dynamic, namely that off-line changes to the system may be necessary. Alternatively, the security devices are code transparent but do not provide multi-level security.
Therefore, it is desirable to restrict access to a system by untrusted external code using a dynamic, transparent, multi-level security device that is not coded dependent or dependent upon the version of the environment used.
SUMMARY OF THE INVENTION
The present invention provides a security defense that is transparent to the software application. The code of the application is written at a level above the security devices and is version-independent.
The invention includes a security access mediator that receives and authenticates the externally supplied software code, determines the functions permitted to the respective application, and then dynamically generates an interface that allows the software application to call only a portion of the complete set of functions calls. The subset of function calls in the interface is determined as a function of one or more of the following: the credentials of the user that supplies the software application and the user corresponding service access levels; the service access levels assigned to the software application; the device that will run the software application; the time and circumstances under which the application is to be run; the credentials of the server that supplies the software application and its corresponding service access levels; the functions that are to be called by the application; and when another application requests the downloading of the application, the credentials of the requesting application and its corresponding service access levels. Further, the security access mediator is operable in one or more versions of the programming environment.
Under the invention, a method and an apparatus provide security against unauthorized operations in a system that includes software code supplied by an untrusted source. The allowed operations that are associated with the software code are determined. A thinned interface that permits the software code to call only the allowed functions successfully is generated. The software code is independent of the security environment of the system. The thinned interface operates in at least one version of a security environment. The software code and the thinned interface are activated within the system.
Other features and advantages of the present invention will become apparent from the following detailed description concerning the accompanying drawings.