发明名称 |
SYSTEM, METHOD AND APPARATUS FOR SIMULTANEOUS DEFINITION AND ENFORCEMENT OF ACCESS-CONTROL AND INTEGRITY POLICIES |
摘要 |
Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions. |
申请公布号 |
US2017039375(A1) |
申请公布日期 |
2017.02.09 |
申请号 |
US201615298742 |
申请日期 |
2016.10.20 |
申请人 |
International Business Machines Corporation |
发明人 |
CENTONZE Paolina;HAVIV Yinnon Avraham;HAY Roee;PISTOIA Marco;SHARABANI Adi;TRIPP Omer |
分类号 |
G06F21/60;G06F21/57;G06F21/51 |
主分类号 |
G06F21/60 |
代理机构 |
|
代理人 |
|
主权项 |
|
地址 |
Armonk NY US |