SYSTEM, METHOD AND APPARATUS FOR SIMULTANEOUS DEFINITION AND ENFORCEMENT OF ACCESS-CONTROL AND INTEGRITY POLICIES
摘要
Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.
申请公布号
WO2011062674(A1)
申请公布日期
2011.05.26
申请号
WO2010US48797
申请日期
2010.09.14
申请人
INTERNATIONAL BUSINESS MACHINES CORPORATION;CENTONZE, PAOLINA;HAVIV, YINNON AVRAHAM;HAY, ROEE;PISTOIA, MARCO;SHARABANI, ADI;TRIPP, OMER