WO2022128143A1

WO2022128143A1 - Protection of a computer system and its software from installing and running software applications on incompatible platforms

Info

Publication number: WO2022128143A1
Application number: PCT/EP2020/087353
Authority: WO
Inventors: Oleg Pogorelik
Original assignee: Huawei Technologies Co., Ltd.
Priority date: 2020-12-20
Filing date: 2020-12-20
Publication date: 2022-06-23

Abstract

There is provided a computer system (104, 304, 600) including a processor (106) and a memory (108) configured to store an operating system (OS) (112, 206, 306). The processor (106), when executing the OS (112, 206, 306), is configured to cause the computer system (104, 304, 600) to obtain, from a software application (110, 202, 308, 418), a condition for a software application operation. The processor (106) is further configured to cause the computer system (104, 304, 600) to determine whether or not the computer system (104, 304, 600) satisfies the condition for the software application operation. The processor (106) is further configured to cause the computer system (104, 304, 600) to prevent an operation to the software application (110, 202, 308, 418) in response to the computer system (104, 304, 600) being unable to satisfy the condition for software application operation.

Description

PROTECTION OF A COMPUTER SYSTEM AND ITS SOFTWARE FROM INSTALLING AND RUNNING SOFTWARE APPLICATIONS ON INCOMPATIBLE PLATFORMS

TECHNICAL FIELD

The disclosure relates generally to a computer system. Moreover, the disclosure relates to a method for operating the computer system.

BACKGROUND

Access control systems are known to be used in computer systems for purposes of supporting, understanding, and enforcing application access policies; the access control systems include various tools and components for such purposes. Moreover, the access control systems employ a framework that serves a security goal of protecting system assets such as Application program interfaces (APIs), sensitive data, communication channels, and so forth against adversarial or compromised applications.

In known approaches, a software vendor specifies application permissions in manifest and resources required by an application, signs, and then uploads the manifest to an application store as a part of a package. When installing the package in a given specific device, the application permissions are checked by an operating system (OS) during installation on the specific device, wherein the OS compares the application permissions relative to pre-defined system policies; if the application permissions are incompatible with the pre-defined system policies, the package is not allowed. After a user of the specific device approves the permissions required by the application as described in the manifest, corresponding application policies are added to an application policy registry. The user can update the application permissions selectively during an application life cycle. The specific device matches application access to the resources with an appropriate policy during a run-time of the application. The specific device may enable access for legitimate and benign applications working under definitions of the manifest. The specific device may reject the access if an adversarial or tampered application accesses a resource beyond an allowed scope.

In the aforesaid known approaches, security objectives may protect system security assets such as a user’s data, communication channels, system configuration, services, and so forth from attacks originated by an adversarial application. Known approaches have advanced solutions that may be based on software (SW) vendors or third-party sandboxes, virtual machines, or application isolation middleware. These solutions typically intercept interaction of an application with the OS and implement advanced policy enforcement techniques to ensure that the application does not exceed an expected behavioral pattern. Furthermore, these know solutions have their own disadvantages. For example, one such known solution mandates that additional APIs are used, leading to a wider exposure of system assets towards the application, wherein the additional APIs result in a growing attack surface and additional associated security risks of information disclosure and leakage for monitoring of run-time (RT) conditions mandates. Another such known solution provides a way for an attacker to tamper a given application and break its associated conditions. In another known solution, application dependencies on RT conditions are hidden and cannot be validated by third parties. In another such known solution, there is no way to validate platform eligibility for installing and running a given application. Another known solution requires SW re-deployment for being able to change a RT condition.

Therefore, there arises a need to address the aforementioned technical drawbacks in existing systems or technologies in the installation and execution of a software application in a computer system.

SUMMARY

It is an object of the disclosure to provide an improved method for operating a computer system including a processor and a memory configured to store an operating system to establish a unified framework for application security control and to reduce risks of misuse or improper activation of a software application in an adversarial environment. Moreover, it is an object of the disclosure to provide an improved computer system that uses the aforesaid improved method. This object is achieved by the features of the independent claims. Further implementation forms are apparent from the dependent claims, the description, and the figures.

The disclosure provides a computer system and a method for operating the computer system including a processor and a memory configured to store an operating system.

According to a first aspect, there is provided a computer system including a processor and a memory configured to store an operating system (OS). The processor, when executing the OS, is configured to cause the computer system to obtain, from a software application, a condition for a software application operation. The processor, when executing the OS, is configured to cause the computer system to determine whether or not the computer system satisfies the condition for the software application operation. The processor, when executing the OS, is configured to cause the computer system to prevent an operation to the software application in response to the computer system being unable to satisfy the condition for software application operation.

The computer system is of advantage in that the computer system establishes a unified framework for application security control. Moreover, the computer system provides tools for the application security control by a network. Furthermore, the computer system reduces, for example minimizes, risks of application misuse or improper activation in an adversarial environment. Additionally, the computer system supports a “strong” protection at OS level. Beneficially, the computer system is less exposed to application-level adversaries as the unified framework prevents from installing the application on an incompatible platform. The computer system reduces, for example minimizes, risks of security breaches such as denial-of-service (DoS), distributed-denial-of-service (DDoS) attacks, man-in-the-middle (MitM) attack, and so forth. The computer system enables OS enforcement that is much more secure and adversary resilient. Moreover, the computer system enables ease of application run-time conditions validation and assessment. Furthermore, the computer system cancels application installation on a platform cloud if the platform is not compatible, thereby enabling software vendors and regulators to manage application compatibility independently. Additionally, the computer system enables a more robust and secure enforcement of an application behavior by a trusted network.

In a first implementation form, the condition for software application operation includes a first policy for installing the software application. The operation to the software application includes installing the software application. The computer system is configured to obtain, from the software application, the condition for software application operation by obtaining the first policy from the software application when receiving the software application from a network.

In a second implementation form, the condition for software application operation includes a second policy for the software application to access protected data. The operation to the software application includes executing the software application. The computer system is configured to obtain, from a software application, the condition for software application operation by (i) obtaining, from the software application, the second policy when or after installing the software application, (ii) storing the second policy, and (iii) reading the stored second policy for the software application when the software application is trying to access the protected data.

In a third implementation form, the computer system is further configured to present a user prompt when preventing the operation to the software application. The computer system is further configured to receive an authorization input by a user of the computer system according to the user prompt.

In a fourth implementation form, the computer system is configured to generate the user prompt when the software application requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system, and to update an application access policy of the computer system on approval from the user. The computer system is of advantage in that the computer system prevents the software application being installed on incompatible platforms and prevents the software application from being executed if the run-time conditions are inconsistent with existing policies of the computer system. The computer system enables ease of the run-time conditions validation.

In a fifth implementation form, the computer system is configured to generate a user warning if the computer system is not able to meet fully the condition of the software application in respect of data security.

According to a second aspect, there is provided a method for operating a computer system including a processor and a memory configured to store an operating system, OS. The method includes configuring the processor, when executing the OS, to cause the computer system to obtain, from a software application, a condition for a software application operation. The method includes using the processor, when executing the OS, to determine whether or not the computer system satisfies the condition for the software application operation. The method includes using the processor, when executing the OS, to prevent an operation to the software application in response to the computer system being unable to satisfy the condition for software application operation.

The method is of advantage in that the method establishes a unified framework for application security control. Moreover, the method provides tools for the application security control by a network. The method reduces, for example minimizes, risks of misuse or improper activation of the software application in an adversarial environment. The method supports a “strong” protection at OS level.

In a first implementation form of the method, the condition for software application operation includes a first policy for installing the software application. The operation to the software application includes installing the software application. The method includes configuring the computer system to obtain, from the software application, the condition for software application operation by obtaining the first policy from the software application when receiving the software application from a network.

In a second possible implementation form of the method, the condition for software application operation includes a second policy for the software application to access protected data. The operation to the software application includes executing the software application. The method includes configuring the computer system to obtain, from a software application, the condition for software application operation by (i) obtaining, from the software application, the second policy when or after installing the software application, (ii) storing the second policy, and (iii) reading the stored second policy for the software application when the software application is trying to access the protected data.

In a third possible implementation form of the method, the method includes configuring the computer system to present a user prompt when preventing the operation to the software application and receive an authorization input by a user of the computer system according to the user prompt.

In a fourth possible implementation form of the method, the method includes configuring the computer system to generate the user prompt when the software application requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system, and to update an application access policy of the computer system on approval from the user.

In a fifth possible implementation form of the method, the method includes configuring the computer system to generate a user warning if the computer system is not able to meet fully the condition of the software application in respect of data security.

According to a third aspect, there is provided a computer program product having computer- readable instructions, the computer-readable instructions being executable by a computerized device including processing hardware to execute a method. Optionally, the computer program product is stored on a non-transitory computer-readable storage medium as computer-readable instructions.

These and other aspects of the disclosure will be apparent from and the implementations described below.

BRIEF DESCRIPTION OF DRAWINGS

Embodiments of the disclosure will now be described, by way of example only, with reference to the accompanying drawings, in which:

FIG. 1A is a block diagram of a computer system including a processor and a memory configured to store an operating system in accordance with an embodiment of the disclosure;

FIG. IB is a block diagram that illustrates a computer system in accordance with an embodiment of the disclosure;

FIG. 2 is a block diagram that illustrates a software architecture for implementing an application framework in accordance with an embodiment of the disclosure;

FIG. 3 is a block diagram of a computer system in accordance with an embodiment of the disclosure;

FIG. 4 is an interaction diagram that illustrates a method for operating policy enforcement during installation and run of a software application in accordance with an embodiment of the disclosure; FIG. 5 is a flow diagram that illustrates a method for operating a computer system including a processor and a memory configured to store an operating system, OS in accordance with an embodiment of the disclosure; and

FIG. 6 is an illustration of a computing arrangement for use in implementing embodiments of the disclosure.

DETAILED DESCRIPTION OF THE DRAWINGS

Embodiments of the disclosure provide a computer system including a processor and a memory, wherein the computer system is configured to store an operating system to establish a unified framework for application security control and to reduce (for example, to minimize) risks of misuse or improper activation of a software application in an adversarial environment. Moreover, embodiments of the disclosure provide a method for operating the computer system to store an operating system to establish a unified framework for application security control and to reduce (for example, to minimize) risks of misuse or improper activation of a software application in an adversarial environment.

To make solutions of the disclosure more comprehensible for a person skilled in the art, the following embodiments of the disclosure are described with reference to the accompanying drawings.

Embodiments of the disclosure are concerned with protecting the computer system against improper activation of the software application in an adversarial environment.

Therefore, according to the computer system and the method for operating the computer system provided in the disclosure, the computer system is protected against improper activation of the software application in the adversarial environment. The disclosure establishes a unified framework for application security control and provides tools for the application security control by an infrastructure. The disclosure allows the computer system to reduce, for example to minimize, risks of application misuse or improper activation in an adversarial environment. The disclosure allows the computer system to reduce, for example to minimize, risks of security breaches such as denial-of-service (DoS), distributed-denial-of-service (DDoS) attacks, man- in-the-middle (MitM) attacks, and so forth. Moreover, the disclosure allows the computer system to enable OS enforcement that is much more secure and adversary resilient. Furthermore, the computer system enables ease of application run-time conditions validation and assessment.

Terms such as "a first", "a second", "a third", and "a fourth" (if any) in the summary, claims, and foregoing accompanying drawings of the disclosure are used to distinguish between similar objects and are not necessarily used to describe a specific sequence or order. It should be understood that the terms so used are interchangeable under appropriate circumstances, so that the embodiments of the disclosure described herein are, for example, capable of being implemented in sequences other than the sequences illustrated or described herein. Furthermore, the terms "include" and "have" and any variations thereof, are intended to cover a non-ex elusive inclusion. For example, a process, a method, a system, a product, or a device that includes a series of steps or units, is not necessarily limited to expressly listed steps or units but may include other steps or units that are not expressly listed or that are inherent to such process, method, product, or device.

FIG. 1A is a block diagram illustrating a computer system 104 including a processor 106 coupled to a data memory 108, wherein the data memory 108 is configured to store an operating system (OS) in accordance with an embodiment of the disclosure. The processor 106, when executing the OS, is configured to cause the computer system 104 to obtain, from a software application, a condition for a software application operation. The processor 106 is configured to determine whether or not the computer system 104 satisfies the condition for the software application operation. The processor 106 is configured to prevent an operation to the software application in response to the computer system 104 being unable to satisfy the condition for software application operation.

The computer system 104 establishes a unified framework for application security control. The computer system 104 provides tools for the application security control by a network. The computer system 104 reduces, for example minimizes, risks of misuse or improper activation of the software application in an adversarial environment. Thereby, the computer system 104 supports a “strong” protection at OS level.

The condition for software application operation optionally includes a first policy for installing the software application. The operation to the software application includes installing the software application. The computer system 104 is configured to obtain, from the software application, the condition for software application operation by: obtaining the first policy from the software application when receiving the software application from a network.

The condition for the software application operation optionally includes a second policy for the software application to access protected data. The operation to the software application includes executing the software application. The computer system 104 is configured to obtain, from the software application, the condition for the software application operation by (i) obtaining, from the software application, the second policy when or after installing the software application, (ii) storing the second policy, and (iii) reading the stored second policy for the software application when the software application is trying to access the protected data.

With reference to FIG. 1 A, FIG. IB is a block diagram illustration of the computer system 104 in accordance with an embodiment of the disclosure. The computer system 104 including the processor 106 coupled to the memory 108, wherein the memory 108 is configured to store an operating system (OS) 112. The computer system 104 includes a software application 110 and resources 130. The operating system (OS) 112 includes an application installer 114, a run-time (RT) policy repository 116, a run-time (RT) policy enforcer 118, a system manifest 120, a system policy repository 122, an application policy repository 124, an access policy enforcer 126 and a system and environment unit 128 that stores system and environment conditions. The application policy repository 124 may be accessed by the RT policy enforcer 118. Optionally, the RT policy repository 116 may include the application policy repository 124, or the RT policy repository 116 and the application policy repository 124 may be merged or combined and the merged or combined repository may be called RT policy repository 116 or other name. Accordingly, the access policy enforcer 126 may be omitted and its function may be performed by the RT policy enforcer 118. Examples of such system and environment conditions include: (i) whether or not the computer system 104 is connected to the Internet; (ii) whether or not secure data storage is provided; (iii) whether or not a trusted execution environment is provided; (iv) whether a 3D camera or a 2D camera is provided, and so forth. The resources 130 may include a mobile phone, a network, files, pictures, and so forth. The block diagram further includes an application store 132 and an application manifest 134 that includes run-time conditions.

The computer system 104, without limitation, may be a mobile phone, a Personal Digital Assistant (PDA), a tablet, a desktop computer, a server, or a laptop. The application installer 114 downloads and installs the software application 110 from the application store 132. The application store 132 is an online portal through which software applications 110 are made available for procurement and download. The application installer 114 is configured to parse and understand application-related requirements to a platform provided in the computer system 104 on which the application 110 is to be run, and check if the platform can meet these requirements; contemporary known installer are not able to provide such functionality. Thus, the installer 114 is configured to determine checking platform capabilities that correspond to the software application 110 to the platform before installing the software application 110. The application installer 114 may therefore evaluate run-time conditions of the software application 110

The run-time (RT) policy enforcer 118 may monitor the run-time conditions of the software application 110 and determine whether or not the run-time conditions of the software application 110 are matched with current system and environment conditions. The run-time (RT) policy enforcer 118 may block launch or “kill” already running (namely prevent execution of) the software application 110 if the run-time conditions of the software application 110 are not matched with the current system and environment condition. In order to check the condition stored in the system and environment unit 128, the RT policy enforcer 118 may poll system registry and also state/status monitor repositories. It can also register for notifications on change delivered by appropriate system engines (such as system state, status monitor). It will be appreciated that the installer 114 checks platform capabilities during installation of the application 110, whereas the run time policy enforcer 118 performs checks run time conditions during execution of the application 110. However, it will be appreciated that the installer 114 and the policy enforcer 118 are mutually different elements of the computer system 104. The installer 114 will check if application should be installed before actually installing it - it is one time operation that checks HW and SW configuration only. The run time enforcer 118 is much more powerful tool that will check states and statuses of the resources enquired by the application at launch and during run time. These conditions may changes and therefore must be checked frequently and in details.

The application manifest 134 may be modified to support new attributes allowing to specify an allocation of the run-time conditions of the software application 110. The application manifest 134 may include new attributes allowing an application vendor to specify requirements for a hosting platform and run-time environment when the software 110 application is to be executed; these attributes can be provided, for example, by updating an associated manifest. A "manifest" file in the computer system 104 is a file containing metadata for a group of accompanying files that are a part of a set or coherent unit. For example, files of a computer program may have a manifest describing a name, a version number, a license and constituting files of the computer program/software application 110. Thus, the system manifest 120 is metadata that defines a system computing environment. The system manifest 120 and status Application Program Interfaces (APIs) may be expanded by a list of system resources and attributes required in the evaluation of the run-time conditions of the software application 110 that may include a camera type, a connection state, user’ s age, and so forth.

When the user tries to install the application 110, the application installer 114 determines whether or not the computer system 104 can accommodate the software application 110, for example in respect of platform capabilities, for example availability of a 3D camera, network interfaces being disabled or unavailable, screen resolution, and so forth. After the software application is installed and when the user tries to run the software application, the run time policy enforcer 118 determines whether or not a run-time execution of the software application 110 complies with existing system policies (e.g. the system and environment requirements) of the computer system 104, for example whether or not the software application 110 is trying to access protected memory. The application installer 114 stores a run-time policy, for example the second policy for the software application 110 in the run-time (RT) policy repository 116 of the computer system 104 if the run-time execution of the software application 110 complies with the existing system policies of the computer system 104. During the execution of the software application 110, the run-time (RT) policy enforcer 118 of the computer system 104 accesses the run-time policy, for example the second policy of the software application 110, and compares the run-time policy against the existing system policies of the computer system 104 and prevents the software application 110 from being executed if the run-time policy is inconsistent with the existing system policies of the computer system 104. The existing system policies of the computer system 104 may be upgraded from time-to-time.

The computer system 104 may be further configured to present a user prompt when preventing the operation to the software application 110 and receive an authorization input by a user 102 of the computer system 104 according to the user prompt.

The computer system 104 is optionally configured to generate the user prompt when the software application 110 requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system 104, and to update an application access policy of the computer system 104 on approval from the user 102; as aforementioned, the application 110 may, for example, mandate use of a 3D camera and execution of algorithms defined by the application 110 to be executed in a trusted execution environment (TEE). Thus, the run time policy enforcer 118 is configured to check an availability and a state of the aforesaid tools of the computer system 104 before the application 110 is launched and during execution of the application 110.

A "policy" is a set of rules governing operation of a particular device, the computer system 104 or the software application 110. The application access policy is a set of rules governing execution of the software application 110. The system policy of the computer system 104 is stored in the system policy repository 122. The application access policy of the computer system 104 is stored in the application policy repository 124. The application policy repository 124 optionally includes an additional group of run-time (RT) policies, for example: android:cameraType:one of = “3D” android:userType:notOneOf = “Child”

The application access policy is accessed by the access policy enforcer 126 or the RT policy enforcer 118.

The application access policy (e.g. application requirements) are obtained from the application manifest. For example, the application requirements are translated by the installer 114 to the code fragments or scripts implementing If - this- than - that (AKA IFTTT). These fragments are called rules or policies and stored in system run time policy repository.

If there is any inconsistency between the run-time policy, for example the second policy that is stored in the run-time (RT) policy repository 116 and the existing system policy of the computer system 104, the user prompt is raised with the user 102, to determine whether or not the user 102 wants to execute the software application 110 despite the inconsistency. It will be appreciated that run time policies defined by the application 110 are employed in embodiments of the disclosure, wherein formally-defined rules are used that describe platform capabilities and run-time conditions required for proper functioning of the application 110. Embodiments of the present disclosure use access policies, namely rules defined by the users, system administrators, regulators, service providers, and so forth that describe resources available for the application 110 as well as types of access required by the application 110 (for example read, create, modify, execute, delete, and so forth). The computer system 104 is optionally configured to generate a user warning if the computer system 104 is not able to meet fully requirements of the software application 110, for example in respect of data security.

FIG. 2 is a block diagram that illustrates a software architecture for implementing an application framework in accordance with an embodiment of the disclosure. The software architecture includes a software application 202, an application manifest 204, an operating system 206 that includes an access controller 208 (namely the access policy enforcer 126 in figure IB), resources 212, and an environment 214. The application manifest 204 includes verifiable runtime (RT) manifest provided by the software application 202. The resources 212 include a mobile phone, a network, files, pictures, and so forth. The environment 214 includes a time, a location, a logged user, a security state, and so forth. The access controller 208 includes a runtime conditions enforcement 210 (namely the Run-time policy enforcer in figure IB). The runtime conditions enforcement 210 supports a “strong” protection at OS level. The run-time conditions enforcement 210 of the access controller 208 prevents from installing the software application 202 on incompatible platforms and/or “kills” (namely prevents execution of) the software application 202 if the run-time conditions of the software application 202 is unable to satisfy a condition for the software application operation. The run-time conditions enforcement 210 protects a computer system against misbehavior of a tampered application.

FIG. 3 is a block diagram of a computer system 304 in accordance with an embodiment of the disclosure. The block diagram includes a user interaction manager 302, the computer system 304, an application manifest 324, and a software vendor 326. The computer system 304 includes run-time conditions enforcer that include checks of an operating system (OS) 306 and a software application related conditions 308. The application manifest 324 includes information that describe run-time conditions required by the software application 308. The operating system 306 includes an application installer 310, a run-time (RT) policy repository 312, an application launcher 314 that includes a run-time policy enforcer 316, and a system and environment unit 318 that stores system and environment conditions. The computer system 304 further includes hardware and software components 320 and an environment 322. The environment 322 may include any one or more of network information (e.g. network connectivity), alerts, user information (age), highest level of the security alert in the system, and so forth. When the user tries to execute (i.e. run, start or launch) an installed software application, the application installer 310 evaluates the run-time conditions of the software application 308. For example, the Run-time policy enforcer 316 may parse the application run-time conditions and anticipate whether or not a run-time execution of the software application 308 complies with policies of the computer system 304, for example whether or not the software application 308 is anticipated to be trying to access protected memory. If the Run-time policy enforcer 316 decides that the run-time execution of the software application 308 does not comply with the existing policies of the computer system 304, the software application will not be executed. The software application is executed and the Run-time policy enforcer 316 stores a run-time policy, in the run-time (RT) policy repository 312 of the computer system 304 if the run-time execution of the software application 308 complies with the existing policies of the computer system 304. After that, i.e. during the execution of the software application 308, the run-time (RT) policy enforcer 316 of the computer system 304 accesses the run-time policy and compares against the policies of the computer system 304 and prevents the software application 308 from being executed if the run-time policy is inconsistent with the policies of the computer system 304 (e.g. system and environment condition). The run-time policy may include an application ID as a key for retrieval of a single or a group policy.

The RT policy enforcer 316 may deal mainly with dynamically changing system and environment parameters. For example, The RT policy enforcer 316 may be involved during the launch (namely start) and run-time of the software application 308. The RT policy enforcer 316 may check if a current system and environment condition is matched with the run-time conditions. If the current system and environment condition is not matched with the run-time conditions, the RT policy enforcer 316 may abort or suspend the execution of the software application 308. The user interaction manager 302 manages a user interaction, and the user interaction manager 302 is invoked by the application installer 310 or the RT policy enforcer 316. Optionally, the RT policy enforcer 316 may also re-check system configuration (e.g. using installer rules or portion of code) even the system configuration is barely changing.

FIG. 4 is an interaction diagram that illustrates a method for operating policy enforcement during installation and/or run (namely, execution) of a software application 418 in accordance with an embodiment of the disclosure.

At a step 420, an installation of the software application 418 is initiated by a user 402 at a computer system. At a step 422, the software application 418 is downloaded from an application store 404 by an application installer 406.

At a step 424, the application installer 406 is used to determine whether or not run-time execution of the software application 418 is expected to comply with existing system policies of the computer system, for example whether or not the software application 418 is trying to access protected memory according to manifest of the software application. For example, system policies of the computer system may be the “static” platform settings (e.g. platform capabilities listed in the system configuration such as BIOS) , for example the platform does not have 3D camera or no trusted data environment (TEE) can be accessed, and so forth. If the software application 418 requires to access 3D camera and/or TEE, the installer 406 decides that the run-time execution of the software application 418 is not compliant with the system policies of the computer system. For another example, the installer 406 decides that the runtime execution of the software application 418 is not compliant with the system policies of the computer system if the computer system is disconnected from a data communication network (e.g. the Internet).

At a step 426, a user interaction manager 412 is notified by the application installer 406 to abort the installation of the software application 418 if the run-time execution of the software application 418 is expected to non-compliant with the system policies of the computer system.

At a step 428, a user warning is generated and communicated by the user interaction manager 412 to the user 402 if the computer system is not able to meet fully the condition of the software application 418 in respect of data security, e.g. the run-time execution of the software application 418 is expected to non-compliant with the existing system policies of the computer system. In such a scenario, approval is sought from the run-time policy enforcer.

At a step 430, the installation of the software application 418 is aborted at the user interaction manager 412. The application installer 406 may abort the installation of the software application 418 if the software application 418 cannot meet the run-time conditions, for example a first policy.

At a step 432, a run-time policy, for example a second policy, is created at the application installer 406 if the installer 406 decides at step 424 that there is compliance between the runtime execution of the software application 418 with the system policies of the computer system. In other words, the application installer 406 checks for the first policy that the computer system has compatible resources for the software application 418 and generates a second policy defining conditions necessary for the application 418 when executed; that is, from the expected execution requirements, the second policy is generated.

At a step 434, the run-time (RT) policy, for example the second policy, is added to a run-time (RT) policy repository 410 by the application installer 406.

At a step 436, the run-time (RT) policy is stored at the run-time (RT) policy repository 410. The run-time (RT) policy may include an application ID as a key for retrieval of a single or group policy.

At a step 438, the software application 418 is installed by the application installer 406.

Optionally, at a step 440, an application launcher 414 is instructed by the user 402 to run the installed software application 418.

At a step 442, the software application 418 is validated, using the second policy, by the application launcher 414 and is also communicated to a run-time (RT) policy enforcer 408. If the launcher decides that the software application 418 is valid (i.e. complied with the second policy), the software application 418 is allowed to be run. The second policy checked by the launcher 414 may be system configuration that won’t or seldom change during the execution or running of the software application.

At a step 444, the run-time (RT) policy is retrieved from the run-time (RT) policy repository 410 at the run-time (RT) policy enforcer 408.

At a step 446, a system and environment status is retrieved by the run-time (RT) policy enforcer 408 from a system and environment unit 416. The status describes a current state of the computer system.

At a step 448, during an execution of the software application 418, the run-time policy (namely, the second policy) of the software application 418 is compared against the system policies of the computer system, by the run-time (RT) policy enforcer 408. Advanced dynamic changes (e.g. the updated run-time policy and/or the changed system policies) may be checked by the run-time (RT) policy enforcer 408 during application launch time, for example Internet access is disconnected, TEE is enabled, and so forth. At a step 450, the user interaction manager 412 notifies the run-time (RT) policy enforcer 408 to prevent an operation to the software application 418 in response to the computer system being unable to satisfy the condition for software application operation.

At a step 452, the execution of the software application 418 is aborted by the user interaction manager 412 at the application launcher 414.

At a step 454, the application launcher 414 is approved to execute the software application 418 by the RT policy enforcer 408 if the computer system satisfies the condition for software application operation defined by the second policy.

At a step 456, the application launcher 414 is prepared to execute the software application 418. At a step 458, the software application 418 is executed by the application launcher 414.

FIG. 5 is a flow diagram that illustrates steps of a method for operating a computer system including a processor coupled to a memory that is configured to store an operating system, OS, in accordance with an embodiment of the disclosure. At a step 502, the processor is configured, when executing the OS, to cause the computer system to obtain, from a software application, a condition for a software application operation. At a step 504, the processor is used, when executing the OS, to determine whether or not the computer system satisfies the condition for the software application operation. At a step 506, the processor is used, when executing the OS, to prevent an operation to the software application in response to the computer system being unable to satisfy the condition for software application operation.

Optionally, the condition for software application operation includes a first policy for installing the software application. The operation to the software application includes installing the software application. The method includes configuring the computer system to obtain, from the software application, the condition for software application operation by obtaining the first policy from the software application when receiving the software application from a network.

Optionally, the condition for software application operation includes a second policy for the software application to access protected data. The operation to the software application includes executing the software application. The method includes configuring the computer system to obtain, from a software application, the condition for software application operation by (i) obtaining, from the software application, the second policy when or after installing the software application, (ii) storing the second policy, (iii) reading the stored second policy for the software application when the software application is trying to access the protected data.

Optionally, the method includes configuring the computer system to present a user prompt when preventing the operation to the software application, and receive an authorization input by a user of the computer system according to the user prompt.

Optionally, the method includes configuring the computer system to generate the user prompt when the software application requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system, and to update an application access policy of the computer system on approval from the user.

Optionally, the method includes configuring the computer system to generate a user warning, for example a prompt, if the computer system is not able to meet fully the condition of the software application in respect of data security.

Optionally, the method includes modifying the application manifest to support new attributes allowing to specify an allocation of run time conditions; for example, there is introduced inclusive “one of’ and exclusive “not one of’ key words. Optionally, each is followed by a list of options that must be available or unavailable accordingly and specified per capability or resource type. In the example, it is specified that use of an application mandate of a 3D or triple camera and application is aimed to serve all except children (namely, payments are not allowed for children):

<uses-feature android:name=” android. hardware. camera” android:required=”true”/>

<run-condition> android: name- ’ android. hardware. camera” android:cameraType:one of = “3D”, ’’Triple” />

<run-condition> android:name=”android.login.user”:android:age.notOneOf=”Child”/> <! — other permissions go herea <application...>

</application>

</manifest> The application manifest extensions may include the new attributes allowing an application vendor to specify requirements for a hosting platform and a run-time environment. The system manifest and status Application Program Interfaces (APIs) may be expanded by a list of system resources and attributes required in evaluation of application RT conditions that may include a camera type, a connection state, user’ s age, and so forth.

All of the below may become building blocks of the RT conditions listed in the system manifest, for example in connection with the aforesaid second policy. Each parameter of a given category of application-driven policies may have at least the following conditions: oneOf // augmented by the list of 1 or more discrete values notOneOf // augmented by the list of 1 or more discrete values

It will be appreciated that, according to the previous description, the RT conditions and system manifest are mutually different; for example the application manifest 324 includes the run-time conditions, and the system manifest 120 is metadata that defines a system computing environment. Moreover, the application manifest 324 and the system manifest 120 are stored separately, for example in units 116 and 122 in FIG. IB, likewise for example in units 312 and 318

Each parameter may include one or more values specified as application specific strings that are supported by system sensors and context providers.

For example, android, hardware, camera.type android:one of = “3D”, “triple” android. INTERNET, status android:one of = “connected”

Moving evaluation of the computer system to an OS level removes risks of privacy breach related to exposure of these sensitive parameters.

FIG. 6 is an illustration of an exemplary computer system 600 in which the various architectures and functionalities of the various previous embodiments may be implemented. As shown, the computer system 600 includes at least one processor 604 that is connected to a bus 602, wherein the computer system 600 may be implemented using any suitable protocol, such as PCI (Peripheral Component Interconnect), PCI-Express, AGP (Accelerated Graphics Port), HyperTransport, or any other bus or point-to-point communication protocol (s). The computer system 600 also includes a memory 606.

Control logic (software) and data are stored in the memory 606 which may take a form of random-access memory (RAM). In the disclosure, a single semiconductor platform may refer to a sole unitary semiconductor-based integrated circuit or chip. It should be noted that the term single semiconductor platform may also refer to multi-chip modules with increased connectivity which simulate on-chip modules with increased connectivity which simulate on- chip operation, and make substantial improvements over utilizing a conventional central processing unit (CPU) and bus embodiment. Of course, the various modules may also be situated separately or in various combinations of semiconductor platforms per the desires of the user.

The computer system 600 may also include a secondary storage 610. The secondary storage 610 includes, for example, a hard disk drive and a removable storage drive, representing a floppy disk drive, a magnetic tape drive, a compact disk drive, digital versatile disk (DVD) drive, recording device, universal serial bus (USB) flash memory. The removable storage drive at least one of reads from and writes to a removable storage unit in a well-known manner.

Computer programs, or computer control logic algorithms, may be stored in at least one of the memory 606 and the secondary storage 610. Such computer programs, when executed, enable the computer system 600 to perform various functions as described in the foregoing. The memory 606, the secondary storage 610, and any other storage are possible examples of computer-readable media.

In an implementation, the architectures and functionalities depicted in the various previous figures may be implemented in the context of the processor 604, a graphics processor coupled to a communication interface 612, an integrated circuit (not shown) that is capable of at least a portion of the capabilities of both the processor 604 and a graphics processor, a chipset (namely, a group of integrated circuits designed to work and sold as a unit for performing related functions, and so forth).

Furthermore, the architectures and functionalities depicted in the various previous-described figures may be implemented in a context of a general computer system, a circuit board system, a game console system dedicated for entertainment purposes, an application-specific system. For example, the computer system 600 may take the form of a desktop computer, a laptop computer, a server, a workstation, a game console, an embedded system.

Furthermore, the computer system 600 may take the form of various other devices including, but not limited to a personal digital assistant (PDA) device, a mobile phone device, a smart phone, a television, and so forth. Additionally, although not shown, the computer system 600 may be coupled to a network (for example, a telecommunications network, a local area network (LAN), a wireless network, a wide area network (WAN) such as the Internet, a peer-to-peer network, a cable network, or the like) for communication purposes through an I/O interface 608

It should be understood that the arrangement of components illustrated in the figures described are exemplary and that other arrangement may be possible. It should also be understood that the various system components (and means) defined by the claims, described below, and illustrated in the various block diagrams represent components in some systems configured according to the subject matter disclosed herein. For example, one or more of these system components (and means) may be realized, in whole or in part, by at least some of the components illustrated in the arrangements illustrated in the described figures.

In addition, while at least one of these components are implemented at least partially as an electronic hardware component, and therefore constitutes a machine, the other components may be implemented in software that when included in an execution environment constitutes a machine, hardware, or a combination of software and hardware.

Although the disclosure and its advantages have been described in detail, it should be understood that various changes, substitutions, and alterations can be made herein without departing from the spirit and scope of the disclosure as defined by the appended claims.

Claims

1. A computer system (104, 304, 600) including a processor (106) and a memory (108) configured to store an operating system, OS (112, 206, 306) wherein the processor (106), when executing the OS (112, 206, 306), is configured to cause the computer system (104, 304, 600) to: obtain, from a software application (110, 202, 308, 418), a condition for a software application operation; determine whether or not the computer system (104, 304, 600) satisfies the condition for the software application operation; and prevent an operation to the software application (110, 202, 308, 418) in response to the computer system (104, 304, 600) being unable to satisfy the condition for software application operation.

2. The computer system (104, 304, 600) of claim 1, wherein the condition for software application operation includes a first policy for installing the software application (110, 202, 308, 418), and the operation to the software application (110, 202, 308, 418) includes installing the software application (110, 202, 308, 418); wherein the computer system (104, 304, 600) is configured to obtain, from the software application (110, 202, 308, 418), the condition for software application operation by: obtaining the first policy from the software application (110, 202, 308, 418) when receiving the software application (110, 202, 308, 418) from a network.

3. The computer system (104, 304, 600) of claim 1 or 2, wherein: the condition for software application operation includes a second policy for the software application (110, 202, 308, 418) to access protected data; the operation to the software application (110, 202, 308, 418) includes executing the software application (110, 202, 308, 418); and the computer system (104, 304, 600) is configured to obtain, from a software application (110, 202, 308, 418), the condition for software application operation by:

22 obtaining, from the software application (110, 202, 308, 418), the second policy when or after installing the software application (110, 202, 308, 418); storing the second policy; and reading the stored second policy for the software application (110, 202, 308, 418) when the software application (110, 202, 308, 418) is trying to access the protected data.

4. The computer system (104, 304, 600) of any one of claims 1 to 3, wherein the computer system (104, 304, 600) is further configured to: present a user prompt when preventing the operation to the software application (110, 202, 308, 418); and receive an authorization input by a user (102, 402) of the computer system (104, 304, 600) according to the user prompt.

5. The computer system (104, 304, 600) of claim 4, wherein the computer system (104, 304, 600) is configured to generate the user prompt when the software application (110, 202, 308, 418) requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system (104, 304, 600), and to update an application access policy of the computer system (104, 304, 600) on approval from the user (102, 402).

6. The computer system (104, 304, 600) of any one of claims 1 to 5, wherein the computer system (104, 304, 600) is configured to generate a user warning if the computer system (104, 304, 600) is not able to meet fully the condition of the software application (110, 202, 308, 418) in respect of data security.

7. A method for operating a computer system (104, 304, 600) including a processor (106) and a memory (108) configured to store an operating system, OS (112, 206, 306), wherein the method includes:

(i) configuring the processor (106), when executing the OS (112, 206, 306), to cause the computer system (104, 304, 600) to obtain, from a software application (110, 202, 308, 418), a condition for a software application operation; (ii) using the processor (106), when executing the OS (112, 206, 306), to determine whether or not the computer system (104, 304, 600) satisfies the condition for the software application operation; and

(iii) using the processor (106), when executing the OS (112, 206, 306), to prevent an operation to the software application (110, 202, 308, 418) in response to the computer system (104, 304, 600) being unable to satisfy the condition for software application operation.

8. The method of claim 7, wherein the condition for software application operation includes a first policy for installing the software application (110, 202, 308, 418), wherein the operation to the software application (110, 202, 308, 418) includes installing the software application (110, 202, 308, 418), and wherein the method includes: configuring the computer system (104, 304, 600) to obtain, from the software application (110, 202, 308, 418), the condition for software application operation by obtaining the first policy from the software application (110, 202, 308, 418) when receiving the software application (110, 202, 308, 418) from a network.

9. The method of claim 7 or 8, wherein the condition for software application operation includes a second policy for the software application (110, 202, 308, 418) to access protected data, wherein the operation to the software application (110, 202, 308, 418) includes executing the software application (110, 202, 308, 418), and wherein the method includes: configuring the computer system (104, 304, 600) to obtain, from a software application (110, 202, 308, 418), the condition for software application operation by: obtaining, from the software application (110, 202, 308, 418), the second policy when or after installing the software application (110, 202, 308, 418); storing the second policy; and reading the stored second policy for the software application (110, 202, 308, 418) when the software application (110, 202, 308, 418) is trying to access the protected data.

10. The method of any one of claims 7 to 9, wherein the method includes: configuring the computer system (104, 304, 600) to: present a user prompt when preventing the operation to the software application (110, 202, 308, 418); and receive an authorization input by a user (102, 402) of the computer system (104, 304, 600) according to the user prompt.

11. The method of claim 10, wherein the method includes configuring the computer system

(104, 304, 600) to generate the user prompt when the software application (110, 202, 308, 418) requires run-time conditions that are an exception to the condition for software application operation and a system policy of the computer system (104, 304, 600), and to update an application access policy of the computer system (104, 304, 600) on approval from the user (102, 402).

12. The method of any one of claims 7 to 11, wherein the method includes configuring the computer system (104, 304, 600) to generate a user warning if the computer system (104, 304, 600) is not able to meet fully the condition of the software application (110, 202, 308, 418) in respect of data security.

13. A computer program product having computer-readable instructions, the computer- readable instructions being executable by a computerized device comprising processing hardware to execute a method as claimed in any one of claims 7 to 12.

25