A software system provides security against unauthorized operations initiated by software code supplied by an untrusted source. The allowed operations that are associated with the software code are determined. A thinned interface is generated which permits the software code to successfully call only the allowed operations. The software code is independent of a security environment of the system. The thinned interface operates in at least one version of the security environment. The software code and the thinned interface are activated within the system.
BACKGROUND OF THE INVENTION
The invention is directed to systems that incorporate instructions supplied by external, non-trusted sources and, more particularly, to dynamic, transparent multi-level security for such systems.
Many systems, such as telephone network products and data communication products, include externally developed software applications that require calls to various functions within the system. It is desirable, however, to limit the functions that can be called by the application to those that are necessary or that are approved for the developer of the application. Therefore, the systems typically include a security model that requires the application to include code which requests authorization and receives permission or denial to carry out the respective function call. As an example, the Java environment includes security devices such as a security manager, a byte code verifier and a class loader. However, the security devices of a respective environment may be non-backward compatible with earlier versions. In the Java environment, for example, the security devices in version 1.2 are not backward compatible with those in versions 1.1 and 1.0.2, and the security devices in version 1.1 are not backwards compatible with those in version 1.0.2. Thus, an application program written in a respective version of Java is not compatible with other versions.
Furthermore, in some programming environments, such as in the Java environment, the security devices provide multi-level security but are not transparent, namely the user code must explicitly interact with the system, and the security devices are not dynamic, namely that off-line changes to the system may be necessary. Alternatively, the security devices are code transparent but do not provide multi-level security.
It is therefore desirable to restrict access to a system by untrusted external code using a dynamic, transparent, multi-level security device that is not code dependent or dependent upon the version of the environment used.
SUMMARY OF THE INVENTION
The present invention provides a security defense that is transparent to the software application. The code of the application is written at a level above the security devices and is version independent.
The invention includes a security access mediator that receives and authenticates the externally supplied software code, determines the functions that are permitted to the respective application, and then dynamically generates an interface that allows the software application to call only a portion of the full set of function calls. The subset of function calls in the interface is determined as a function of one or more of the following: the credentials of the user that supplies the software application and the user’corresponding service access levels; the service access levels assigned to the software application; the device that will run the software application; the time and circumstances under which the application is to be run; the credentials of the server that supplies the software application and its corresponding service access levels; the functions that are to be called by the application; and when the downloading of the application is requested by another application, the credentials of the requesting application and its corresponding service access levels. Further, the security access mediator is operable in one or more versions of the programming environment.
In accordance with the invention, a method and an apparatus provide security against unauthorized operations in a system that includes software code supplied by an untrusted source. The allowed operations that are associated with the software code are determined. A thinned interface which permits the software code to successfully call only the allowed operations is generated. The software code is independent of a security environment of the system. The thinned interface operates in at least one version of a security environment. The software code and the thinned interface are activated within the system.
Other features and advantages of the present invention will become apparent from the following detailed description of the invention with reference to the accompanying drawings.