发明名称 |
System, Method and Apparatus for Simultaneous Definition and Enforcement of Access-control and Integrity Policies |
摘要 |
Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.
|
申请公布号 |
US2011126282(A1) |
申请公布日期 |
2011.05.26 |
申请号 |
US20090624172 |
申请日期 |
2009.11.23 |
申请人 |
INTERNATIONAL BUSINESS MACHINES CORPORATION |
发明人 |
CENTONZE PAOLINA;HAVIV YINNON AVRAHAM;HAY ROEE;PISTOIA MARCO;SHARABANI ADI;TRIPP OMER |
分类号 |
G06F21/00;G06F17/30 |
主分类号 |
G06F21/00 |
代理机构 |
|
代理人 |
|
主权项 |
|
地址 |
|