RU2334363C2 - Mechanism for estimation of safety risks - Google Patents

Abstract

FIELD: information technologies.

SUBSTANCE: mechanism for collective estimation of safety risks, associative linked with application loading consists that the hosting environment, associative linked with application loading, calls the authorised manager for estimation of safety risks which calls a set of the authorised estimation units, and each authorised estimation unit is responsible for the analysis and estimation of various safety risks. After the end of estimation of each safety risk, the results of such separate risk estimation are sent to the authorised manager. The authorised manager groups the variety of results of safety risks estimation and makes the definition of the safety based on grouped results of estimation. The following possible results are: loading of the application, blocking of the application loading or the hint to the user to make solution on expediency of performance of loading.

EFFECT: protection of the user computer from variety of non-comparable safety risks.

20 cl, 5 dwg

Description

This application was filed under the PCT on May 17, 2003 by Microsoft Corporation, a foreign company created and located in the United States with all countries except the United States.

FIELD OF THE INVENTION

The present invention relates to computer security systems. More specifically, the present invention relates to a mechanism for evaluating and grouping security assessment information for computing systems.

State of the art

Modern computer users have access to many different applications and services. A typical computer user can install dozens of computer programs over a year on a computer. In most cases, computer users deliberately install programs on their computers. For example, a user can buy a software package program and install it manually. Sometimes a user may unintentionally install a program, for example, when visiting a certain site on the Internet that has a configuration that allows you to install an application mini-program or a small program on your computer. Installing programs on computers has now become routine, with some users unaware of the security issues caused by installing new software. Other users are generally well aware of security issues, but they are generally not aware of the specific problems that may arise when installing a specific program.

Most users understand that new programs can introduce viruses or other hostile code into their computers. Users also understand that some software developers create programs that are easily accessible and have an open function or purpose, such as improving email messaging, and a hidden function or purpose, such as recording user information, which later turns into a market object . This particular type of software is often called "spyware" snooping tools. So users often try to protect themselves in various ways from such security threats. For example, many users install antivirus utilities to protect themselves from viruses. Some users also install utilities against snooping tools to solve the security problem and protect themselves from snooping tools.

Unfortunately, each security utility runs separately from each other security utility and does not know about each other's performance, thus burdening the user with the need to compare information from each security utility. Modern security systems operate in a vacuum in relation to each other and each of the systems informs the user only about its specific security risks. Most users do not want to have separate notifications of various security risks from several disparate systems. Moreover, they only want their security systems to work. The nature of the “patchwork” work of security utilities currently usually leaves users with a sense of fear that there remains a gap in their protection, and fears that hostile or unwanted programs may penetrate through protection. Because of this fear, many users are reluctant to use new programs, especially in real-time environments.

Unfortunately, there are currently no mechanisms that can protect the user from the many disparate security risks posed by a particular software package program when such a program is downloaded, installed or executed. An adequate mechanism for assessing security risks has eluded the attention of specialists in this field of technology.

SUMMARY OF THE INVENTION

The present invention relates to a system and method for accumulating safety assessment information about a program and for operating based on this information in a convenient and useful manner. In short, the runtime of programs under the control of the main program (hosted environment) is responsible for loading the application. In response to initiating application downloads, the hosted environment calls an authorized administrator to evaluate the security risks associated with the application. An authorized administrator calls up a number of authorized assessment modules, with each authorized assessment module responsible for analyzing and evaluating various security risks. After each security risk assessment has been completed, the results of these individual security risk assessments are returned to the authorized administrator. The Authorized Administrator groups many of the results of a security risk assessment and performs a security determination based on the results of a grouped assessment. As a result of such a determination, a decision may be made to start downloading the application, block the loading of the application, or perhaps prompt the user to decide whether to start the download. It will be preferable if the user after such a hint will be able to make a decision based on a collective assessment of the security of the application, which, in general, gives the user greater confidence in the protection of his computing system.

Brief Description of the Drawings

FIG. 1 is a functional block diagram illustrating a computing device that can be used in implementations of the present invention.

FIG. 2 is a functional block diagram illustrating, in general, system components for performing an application security assessment and for presenting a collective security assessment of such a risk definition to a user.

FIG. 3 is a graphical representation of one illustrative set of granted privileges for an application that associates certain privileges with application components in the application context.

FIG. 4 is a graphical representation of one illustrative user interface that can be used to present collective security assessment information to a user.

FIG. 5 is a flowchart generally illustrating a process for assessing security risks associated with an application and presenting a collective security assessment to a user.

Detailed description of a preferred embodiment of the invention

The present invention will be described here with reference to one example illustrative computing environment in which embodiments of the present invention may be implemented. Next, a detailed example of one specific embodiment of the present invention will be described. Alternative embodiments may also be included with respect to certain details of a specific embodiment. It should be understood that embodiments of the present invention are not limited to the embodiments described herein.

Illustrative Computing Environment of the Invention

FIG. 1 illustrates a computing device that can be used in illustrative embodiments of the present invention. As shown in FIG. 1, one exemplary system for implementing the invention includes a computing device, such as computing device 100. In a most general configuration, computing device 100 typically includes at least one processor 102 and system memory 104. Depending on the exact configuration and a type of computing device, system memory 104 may be volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.), or some combination of these two memories. System memory 104 typically includes an operating system 105, one or more program modules 106, and may include program data 107. This basic configuration of computing device 100 is shown in FIG. 1 by those components that lie within the area surrounded by dashed line 108.

Computing device 100 may have additional features or functionality. For example, computing device 100 may also include additional storage devices (removable and / or non-removable), such as, for example, magnetic disks, optical disks, or magnetic tape. Such an additional data storage device is shown in FIG. 1 by a removable data storage device 109 and a non-removable data storage device 110. Computer storage media may include volatile and non-volatile, removable and non-removable media implemented in any way or technology for storing information, such as computer-readable instructions, data structures, program modules or other data. System memory 104, removable data storage device 109 and non-removable data storage device 110 are all examples of computer storage media. Computer storage media includes, but is not limited to, RAM, ROM, electrically erasable programmable ROM, flash memory or other technical storage media, rewritable compact disc (CD-ROM), digital multi-purpose discs ("DVD"), or other optical device data storage, magnetic cassettes, magnetic tape, magnetic disk drives or other magnetic data storage devices, or any other storage medium that can be used to store the required information and which can be accessed by the computer device 100. Any such computer storage medium may be part of device 100. Computing device 100 may also have input device (s) 112, such as keyboard 122, mouse 123, pen, speech input device, touch input device, scanner, etc. d. An output device (s) 114, such as a display device, speakers, printer, etc., may also be included in the system. These devices are well known in the art and do not require a detailed discussion here.

Computing device 100 may also include communications connections 116 that enable the device to communicate with other computing devices 118, such as network communications. Communication connections 116 are one example of a communications medium. The data medium can usually be implemented by computer-readable instructions, data structures, program modules or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and include any information delivery medium. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a way as to encode information in the signal. By way of example, but not limitation, communication media include wired media, such as a wired network or a direct wired connection, wireless media, such as acoustic, RF (radio frequency), infrared, and other wireless media. The term “computer-readable media” as used herein includes both storage media and data transmission media.

Description of the specific implementation of the invention

FIG. 2 is a functional block diagram illustrating, in general, environmental components implementing the present invention. As shown in FIG. 2, the authorized assessment system 200 is configured to evaluate the application 201 and identify any security risks associated with the application 201. The application 201 may be any executable code available to the computing device 100. There are some inherent security risks associated with the execution of the application 201 on computing device 100. For example, application 201 may contain a virus or provide means for surveillance. System 200 is respectively configured to analyze application 201 to evaluate and quantify the degree of these risks in a meaningful way. The authorized evaluation system 200 then decides to download the application 201.

Application 201 may consist of several components that work together. For example, an application 201 may include many modules or kits, such as kit A 202 and kit B 203. Application 201 may include metadata describing the application and each of its constituent components. The metadata may be contained in ad 205 or otherwise stored associatively associated with the application 201. The metadata may include information such as the name of the application, version of the application, as well as the rights and authority that the components of the application would like to have, privacy policy information, digital information signatures and other similar information.

Application 201 may first be downloaded to computing device 100 in one of many ways. For example, the application 201 can be downloaded during a communication session over the Internet, it can be obtained on an optical disk or other permanent memory, it can be received in an e-mail message or through some other mechanism. In this implementation, application 201 is downloaded and executed in a program execution environment 220 under the control of a main program (hosted environment). For the purposes of this discussion, the program execution environment 220 under the control of the main program includes any environment in which the application 201 will be executed. For example, the program execution environment 220 under the control of the main program can be a managed code execution environment, a shell, another application, or similar components . In this particular embodiment, the program execution environment 220 under the control of the main program may include priority ranking based on the type of system that acts as the master node. For example, it can be established that the runtime of programs under the control of the main program associated with the optical disk drive may offer a lower security risk than the runtime of programs under the control of the main program associated with a communication session via the Internet. Priority ranking can be used later when assigning a security label to application 201.

The program execution environment 220 under the control of the main program is configured to create an application description object (OO, ADO) 221 based on the metadata about the application 201. The program execution environment 220 under the control of the main program includes sufficient information about the application 201 in the OOP 221 to effectively evaluate security risks associated with application 201. OOP 221 may accordingly include, in the form of an object, the application name, application version, rights and authorities required by the component components and applications, privacy policy information, digital signature information and similar data. The program execution environment 220 under the control of the main program is also configured to call an authorized administrator 210 to perform an evaluation.

The authorized administrator 210 may be an authorized component of the operating system installed on the computing device 100. In this particular embodiment, the authorized administrator 210 provides an interface that is invoked by the program execution environment 220 under the control of the main program to initiate the security assessment of application 201. The authorized administrator 210 receives OOP 221 from environment 220 run programs under the control of the main program through this interface. Authorized administrator 201 is also configured to call a number of authorized assessment mechanisms (machines) to evaluate security risks associated with application 201. Each assessment mechanism is configured to evaluate a specific threat class based on information in OOP 221 or components of application 201 itself. For example, evaluation mechanism 240 may be a quantification mechanism that evaluates evidence in relation to an application that may be contained in OOP 221 or otherwise be able to limiting the ability of an application to perform hostile acts on computing device 100. The evaluation engine 241 may be a virus detector, and the evaluation processor 242 may be configured to evaluate the privacy interests of the application 201. Each of the evaluation mechanisms may be derived from a base class or may be implemented as interface.

Each rating mechanism is configured to evaluate application 201 according to its specific rules or criteria in order to quantify 245. Examples of quantification include a numerical value between a minimum and a maximum or a discrete value from a set of alternative security levels. These quantities are merely examples and do not constitute an exhaustive list of quantities. Quantification 245 may then be returned to the authorized administrator 210 through each evaluation mechanism at the completion of such evaluation. The Authorized Administrator 210 is configured to group individual scores into a scores group 250, which represents a collective assessment of application security in each of the areas for which a scoring mechanism exists. Any priorities that may occur, for example, priorities associated with a particular type of program execution environment 220 under the control of the main program (hosted environment), can be applied to the quantitative assessment group (GKO) 250 to further define a collective safety assessment. Based on such a collective security assessment, an authorized administrator 210 may have sufficient information to make a download decision without involving the user. For example, predefined thresholds (default or maybe user defined) can determine which programs can be downloaded without asking for user consent, or which programs can be blocked without prompting the user. If a collective security assessment for a specific (downloadable) application falls between these two thresholds, the user can be invited to make a download decision.

The authorized administrator 210 creates an authorized object 261, which describes the level of authority at which the application can be downloaded, if at all. Authorized entity 261 may include data that defines a set of 262 granted permissions for an application on an exploded basis. One example of an illustrative set of granted permissions 262 is shown in FIG. 3 and is described below. If the collective security assessment for the application 201 falls between these two thresholds mentioned above, then the authorized administrator 210 can transfer the authorized object 261 to the user interface 260, so that the user can get a hint.

The user interface 260 is a mechanism for presenting the user with a collective safety assessment in a meaningful way so that the user can make an informed decision about the next steps. The user interface 260 can take many forms, such as a dialog box, an acoustic signal, an indicator in the form of a graphical image, or a similar form. One example of a possible user interface 260 is shown in FIG. 4 and is described below. Essentially, the user interface 260 represents a single viewpoint for various and disparate security information that does not exist in known systems.

The user interface 260 may prompt the user about possible security branches when authorized to download the application, and possibly provide the user with various levels of authority that may be assigned to the application. The user is asked to decide whether or not to download the application. The user interface (UI) 260 adds the user response information to the authorized entity 261 (UO) and returns it to the authorized administrator 210.

Each time the application 201 is launched or executed, its program execution environment 220 could call an authorized administrator 210 to retrieve the security assessment of the application 201. In the case where a set of 262 represented credentials has already been created, the authorized administrator 210 may return this set of 262 granted credentials environment 220 program execution under the control of the main program. Alternatively, the program execution environment 220 under the control of the main program could cache the security assessment information for subsequent use without involving an authorized administrator 210. The program execution environment 220 under the control of the main program will then impose any access privileges identified in the set of granted permissions 262, to application 201. More specifically, the program execution environment 220 under the control of the main program can impose access privileges on each individual computer a component such as package A 202, applications 201. It is also possible that the program execution environment 220 under the control of the main program or some other application may present the component to an authorized administrator 210 for evaluating security without the special intention of subsequent execution of the component.

FIG. 3 is a graphical representation of an illustrative set of 301 represented credentials that can be created by implementations of the present invention. It should be noted that the concept of “set of granted authority” used in this document means any group of information that is used to determine the safe environment in which the application can be executed. The concept of “set of privileges granted” used in this document is not limited to a specific safe environment, such as a common language runtime, but is intended to indicate the information used to determine the safe environment in which the application is run, regardless of the specific working environment. environment.

In this specific example, the set of granted permissions 301 may be data within an object, such as an authorized object or similar data. In this example, the set of granted permissions 301 includes information that identifies each component of the application. In addition, the set of granted permissions 301 includes information that defines the credentials for each component of the application. In this case, the component table 310 identifies the component as follows: set A, set B, and set C, and associates each of these components with a set of permissions. For example, in set 301 of granted credentials, set A is identified as having a set of credentials (NP 1).

Authorization table 320 is also included in a set of 301 granted privileges to specifically define privileges such as privileges, which are security rights associated with each set of privileges. In this example, the set of permissions NP 1 includes such privileges and rights identified in the example as permissions 1. It is clear that, as described above, when the program execution environment 220 under the control of the main program starts loading application components, referring to the set of 301 granted permissions, the corresponding permissions can be applied to each component of the application in the context of the application. In other words, some other application may also include B, but in the context of this other application, B may have a different set of privileges. In this case, when another application is being executed and when set B has been downloaded, it will have a set of permissions defined by the set of granted permissions associated with another application.

In FIG. 4 illustrates an illustrative user interface dialog that can be presented to a user based on an application security rating. In such a specific example, a dialog 401 is presented based on an evaluation of an application that requested access to a file system and a network. In addition, the virus assessment module determined that the application does not contain a virus. An indication in the form of a graphic image may also include a risk level 405. The user is given the opportunity to select or perform a download, for example, by clicking on the OK button 410 or interrupt the download. The user interface shown in FIG. 4 is for illustration only and cannot be considered a limiting or exclusive mechanism for providing security information to a user. Indeed, it can be assumed that so many different forms of presenting a collective safety assessment will become apparent from the disclosure of this document.

In FIG. Figure 5 is a logical flowchart generally illustrating the process of identifying and collectively providing meaningfully information on the security risks proposed by the application. The process begins at step 501, where the application is downloaded for execution on a computing system. As described above, an application can be downloaded in many different ways through various types of systems where programs are running. The start step 501 accordingly shows that the specific application is downloaded using the specific system where the program is being executed. The process continues to step 503.

At step 503, the system where the programs are executed creates an application description object (OOP) based on the application information. As described above, information can be obtained from the announcement (“manifest”) included with the application, or through any other metadata associated with the application. OOP contains descriptive information about the application, such as the name and version of the application, any rights requested by the application, any code access permissions requested by the application, digital signature information related to the application, privacy policy information and similar information. The process continues to step 505.

At step 505, the system where the programs are executed calls an authorized administrator by the team to assess the risks associated with the application. The system where the programs are running (host) transfers the OOP to an authorized administrator for use in the evaluation.

At step 507, the authorized administrator begins the application security risk assessment by invoking a series of authorized assessment modules so that each assessment module evaluates a specific area of security risk. For example, the virus assessment module may be configured to check each component of the application for the possibility of containing the virus in the application. The privacy assessment module can evaluate the credentials requested by the application to determine the level of privacy threat that the application presents. Many other authorized assessment modules can also be used, as will be apparent to those skilled in the art.

Cycle 508 is conducted for each authorized evaluation module (EMA) in the system. Cycle 508 begins at block 509, where the current authorized evaluation module checks the information in the OOP and / or application components to evaluate the security risk. Information in OOP can be compared with a set of rules or other criteria to create a quantitative assessment that quantifies the security risk of the application. In one example, the quantification can be from zero (maximum risk) to one (minimum risk). Quantification may also include priority and a string descriptor.

It will be appreciated that the assessments performed by each authorized assessment module are similar to similar safety risk assessments that can be performed by known mechanisms. However, in accordance with the present invention, each authorized assessment module evaluates the prospective security risk and returns the quantitative assessment group to the authorized administrator (step 511). When each authorized evaluation module returned to the authorized administrator its quantitative evaluation group, the cycle ends and the process continues at step 513.

At step 513, the authorized administrator analyzes the quantification groups from the authorized evaluation modules. An authorized administrator can prioritize groups of quantitative evaluations based on predefined criteria, such as priority associated with a specific authorized evaluation module, or some other prioritization scheme. For example, there may be a high risk that a virus is present that can outweigh the low risk that a privacy violation may occur. The authorized administrator determines from the prioritized groups of quantitative assessments the group effect on security on the computer system. If the group security impact on the system exceeds a predetermined threshold, an authorized administrator can simply block the application from loading. If the group security impact is below a predetermined threshold, an authorized administrator can simply create an authorized entity that includes enough authority to execute the application. If, however, none of these cases occurs, an authorized administrator can call the user interface - make an offer to the user to make a decision.

At step 515, the authorized administrator passes the prioritized group of quantitative estimates and group exposure information to the user interface (IP) for a final assessment, if required by the user. If this is the case, a group security impact is presented to the user. The presentation may be in the form of a dialog box that summarizes or specifically details the security risks associated with downloading the application. For example, a quantification mechanism may determine that an application has requested sufficient authority to read and modify files on a computer and to transfer data over a network connection. Based on such information, along with perhaps other evidence, the privacy assessment module can determine that the application is likely to share user information over the network. Therefore, such information can be combined to inform the user that downloading the application is likely to result in the user becoming the target of telemarketing campaigns or other inappropriate use of the user's personal information. The user is preferably provided with information on disparate security risks collected in a general notification, such as a dialog box or similar tool.

At step 517, by any input from the user interface, the authorized administrator modifies the authorized object to describe a secure environment in which the application can be executed. In one embodiment, an authorized entity includes data that associates an application or application components with a set of credentials. The set of privileges presented describes the level of security that will be applied during application execution. In one specific environment, the set of represented privileges is associated with each component of the application. Thus, a component that is shared between different applications can be executed with different privileges depending on the context of the application in which it is executed. The process may not perform any actions at step 517 until the application is actually executed, thereby forcing the system where the programs are running to start loading application components. The process then continues to step 519.

At step 519, the application is loaded by the system where the programs are executed. According to the part of the security policy that is applied to downloadable applications, the system where the programs are executed asks an authorized administrator for an authorized object associated with the application. When each component of the application is downloaded, the set of granted permissions associated with this application is attached. Thus, applications that have been downloaded in accordance with the present invention are allowed only those privileges set by the user in an informed, direct and understandable way. If the application has not been granted sufficient privileges, an authorized administrator can block the execution of the application.

The above description text, examples, and data adequately describe the concepts and illustrated implementations of the invention. Since many embodiments of the invention can be implemented without departing from its scope and principles, the scope of patent protection of the invention is determined by the attached claims.

Claims (20)

1. Computer-readable media having computer-executable components comprising an authorized administrator configured to receive a notification that the application is loading, and in response to this, initiate an application assessment for a plurality of security risks, and the authorized administrator is also configured to group quantifications associated with each safety risk assessment to determine a collective safety assessment based on on grouped quantitative assessments, and a user interface configured to present a collective security assessment as determined by an authorized administrator and to provide the ability to make a determination as to whether to continue downloading the application. 2. The computer-readable medium according to claim 1, wherein the application is loaded by the program runtime under the control of the main program (hosted environment), said program runtime under the control of the main program giving a notification to the authorized administrator. 3. The computer-readable medium of claim 2, wherein said program execution environment under the control of the main program is configured to create an application description object that includes descriptive information about the application. 4. The computer-readable medium of claim 3, wherein the descriptive information includes an application name and an application version. 5. The computer-readable medium of claim 3, wherein the descriptive information identifies the rights and authorities requested by the application components. 6. The computer-readable medium of claim 3, wherein the descriptive information includes privacy policy information. 7. The computer-readable medium of claim 3, wherein the descriptive information includes digital signature information regarding the application. 8. The computer-readable medium of claim 1, wherein the security risk assessments are performed by a separate authorized assessment module, wherein each authorized assessment module is configured to analyze a particular security risk associated with this application. 9. The computer-readable medium of claim 8, wherein the specific security risk is the presence of a virus. 10. The computer-readable medium of claim 8, wherein the particular security risk is a breach of confidentiality. 11. The computer-readable medium of claim 1, wherein the collective security assessment identifies one or more risks associated with downloading the application. 12. The computer-readable medium of claim 1, wherein the authorized administrator is further configured to group estimates of security risks determined upon receipt of the notification that the application is loading. 13. The computer-readable medium according to claim 1, which further comprises a data structure, wherein said structure contains a set of granted privileges associated with the application, the set of granted powers includes a first table and a second table, the first table includes a list of components constituting the application, with each component being associated with a set of permissions, the second table includes a list of sets of permissions and a description of each set of permissions. 14. A computer-implemented method for evaluating and grouping security assessment information for a computing system, comprising receiving a notification that the application is being downloaded by the program runtime under the control of the main program (hosted environment), receiving an application description object that includes information about application, initiating an application assessment to determine the multiple security risks associated with the application, grouping the results from an assessment of the set Security claims and providing results grouped in a collective assessment of the security applications and enabling to make a determination on whether to allow downloading applications. 15. The computer-implemented method of claim 14, wherein initiating the evaluation of the application also comprises calling a plurality of authorized evaluation modules, each authorized evaluation module being associated with a particular potential security risk and able to assess the likelihood that the application will be damaged by a certain potential safety risk corresponding to such an authorized assessment module. 16. Implemented on a computer the method according to 14, also containing the assignment of a set of permissions to the application, and the set of permissions determines the authority with which execution of the application will be allowed. 17. Implemented on a computer, the method according to clause 16, also comprising the step of: in response to the notification of the execution of the application, a set of privileges is extracted and the execution of the application with the corresponding authorities is determined. 18. Implemented on a computer, the method according to clause 16, in which the set of permissions determines the authority for the application components. 19. Implemented on a computer, the method according to clause 16, further comprising interrupting the loading of the application in response to receiving grouped results. 20. The computer-implemented method of claim 16, wherein initiating an application assessment to determine a plurality of security risks associated with the application, comprises verifying that the application for determining security risks has been accepted after notification that the application is loading by the program runtime under management of the main program.

Images