WO2013142947A1 - Secured execution of a web application - Google Patents

Secured execution of a web application Download PDF

Info

Publication number
WO2013142947A1
WO2013142947A1 PCT/CA2012/000297 CA2012000297W WO2013142947A1 WO 2013142947 A1 WO2013142947 A1 WO 2013142947A1 CA 2012000297 W CA2012000297 W CA 2012000297W WO 2013142947 A1 WO2013142947 A1 WO 2013142947A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
web application
trusted module
pes
execution
Prior art date
Application number
PCT/CA2012/000297
Other languages
French (fr)
Inventor
Yuan Xiang Gu
Garney David Adams
Original Assignee
Irdeto Canada Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Irdeto Canada Corporation filed Critical Irdeto Canada Corporation
Priority to CN201280073524.2A priority Critical patent/CN104321782B/en
Priority to EP12873189.0A priority patent/EP2831790B1/en
Priority to PCT/CA2012/000297 priority patent/WO2013142947A1/en
Priority to US14/389,752 priority patent/US9471776B2/en
Publication of WO2013142947A1 publication Critical patent/WO2013142947A1/en
Priority to US15/270,949 priority patent/US9934375B2/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/125Restricting unauthorised execution of programs by manipulating the program code, e.g. source code, compiled code, interpreted code, machine code
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/128Restricting unauthorised execution of programs involving web programs, i.e. using technology especially used in internet, generally interacting with a web browser, e.g. hypertext markup language [HTML], applets, java
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to secured execution of a web application.
  • cloud computing is changing information cultures and is part of an emerging business strategy for a new delivery model for Internet-based computation services, application software, data access, and storage.
  • Security associated with untrusted environments becomes challenging.
  • Traditional computer and network security schemes are inadequate to address vulnerabilities and attacks associated to these untrusted systems.
  • a web application is an application that is accessed over a network such as the Internet or an intranet by using web browsers, and is coded in a browser-supported language (such as JavaScript, combined with a browser-rendered markup language like HTML).
  • the web application relies on a common web browser to render the application executable.
  • the ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity, as is the inherent support for cross-platform compatibility. Compared to early HTML and JavaScript to the latest HTML5, latest web applications are becoming platform and browsers independent. Browsers are also providing application execution environments. When compared to native execution environments, secured execution of a web application provides new challenges.
  • Pressure is greater than before on mobile device manufacturers (whether smart phones or tablets) and network operators to maintain costs at the lowest possible level. Yet, execution of the same web application should provide the same functionality, no matter what device it is executed on. For lower end devices, resources are usually more limited, which creates additional pressure on the web applications.
  • KJava on Symbian platform is a scaled down Java Virtual Machine (JVM) designed for mobile platforms.
  • JVM Java 2 Standard Edition
  • J2SE Java 2 Standard Edition
  • MIDP restricted Mobile Information Device Profile
  • CLDC restricted Connected Limited Device Configuration
  • restrictions include 1) no support for Java Native Interface (JNI); 2) limited reflection capabilities (e.g., limited ability to examine or modify runtime behavior); 3) no custom class loaders (e.g., no ability to fine tune behavior of the class loader).
  • the present invention aims generally at providing protection techniques to secure execution of web applications within non-native execution environments.
  • a client device should support running applications on-line (internet connected) or off-line (not internet connected). Securing the execution of such applications should be persistent, no matter whether it runs on-line or off-line.
  • the present invention provides a general framework that allows for secured execution of an application on-line or off-line, although the protection techniques can leverage specific aspects of on-line or off-line execution.
  • a first aspect of the present invention is directed to a method for securing execution of a web application comprising.
  • the method comprises, on a processor of a client device, invoking a function of the web application.
  • the method follows with, on the processor of the client device, invoking a Partial Execution Stub (PES) function during execution of the function of the web application.
  • PES Partial Execution Stub
  • the method then continues, from the PES function, with sending a message call with current execution information related to the web application.
  • the message call is sent to a trusted module.
  • a verification result is thereafter received by the PES function from the trusted module related to the message call.
  • the method may also comprise establishing, by the PES function, a communication connection with the trusted module.
  • the message call is sent via the socket connection and the verification result is received via the communication connection.
  • the communication connection may be a local or remote socket connection or a websocket connection that can be used for both local and remote connections.
  • the trusted module may be executed on a server node or locally in the client device.
  • a second message call is sent to a second trusted module from the PES function with further current execution information related to the web application.
  • the second trusted module may provide at least one function not offered by the trusted module.
  • the PES function may thereafter receive a second verification result from the second trusted module related to the second message call.
  • the PES function may forward the message call with current execution information related to the web application to a second trusted module in response to the verification result.
  • the second trusted module may provide at least one function offered by the trusted module and the verification result may indicate that the required processing was not performed by the first trusted module or indicate that a timeout from the trusted module was received as the verification result.
  • the PES function may thereafter receive a second verification result from the second trusted module related to the forwarded message call.
  • the verification result may indicate tampering of the web application, in which case the method may further comprise, from the PES function, invoking a mitigation action.
  • the mitigation action can vary and may involve, e.g., returning incorrect next function information, returning an invalid function definition, or returning a standard error function or result, causing the application behavior to fail immediately, fail gradually or execute incorrectly.
  • the verification result may alternatively comprise a next function information to be invoked for the web application. In this latter case, the method may follow with invoking the next function. The method may also follow with returning a function to the web application for injection into the web application and subsequent invocation.
  • a second aspect of the presented invention is directed to a method executed in a network node for converting a web application to a secured web application.
  • the secured web application may be obtained by applying static and/or dynamic processing techniques. The determination of what combination of processing techniques depends on implementation choice being the web application.
  • the processor is exemplified as securing the web application in a static manner. For instance, the processing is applied to the web application prior to deploying the web application.
  • the method comprises reading, at the network node, code of the web application from a memory unit.
  • the code comprises more than one function.
  • the method continues with determining from a function call graph of the web application, that at least a call dependency from a first function to a second function of the more than one function needs to be protected.
  • the web application is thus modified into the secured web application code by adding to the code of the web application, a at least one Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module.
  • PES Partial Execution Stub
  • the web application is further modified into the secured web application code by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules from the function call dependency graph to define the call dependency from the PES function to the second function.
  • the method follows with, at the network node, storing the secured web application into the memory unit and the set of rules into the memory unit. Once the secured web application is obtained, it may be delivered to one or more client device.
  • a plurality of PES functions may be present and each one of those may be related to a call dependency.
  • generating the set of rules is performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit.
  • Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration.
  • the first function and the second function may be present in the code of the web application as a single function.
  • the method may thus further comprise splitting the single function into the first and second functions based on an asset being processed in the single function.
  • the set of rules may comprise a record comprising a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function, a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry, a next function element identifying the second function and providing information necessary for invocation of the second function, an element of trusted functions identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module and a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
  • a third aspect of the present invention is directed to a trusted module for securing execution of a web application executing on a client device.
  • the trusted module comprises a connection module, a function call module and a verification module.
  • the connection module is for receiving a communication connection request from a Partial Execution Stub (PES) function of the web application.
  • the function call module is for receiving a message call from the PES function via the communication connection.
  • the message call comprises current execution information related to the web application.
  • the verification module is for determining, based on the current execution information, a next function to be executed for the web application and sending a result of the determination to the PES function via the communication connection.
  • the trusted module may be executed on a server node remote from the client device executing the web application or on the client device.
  • the trusted module may further comprise a security module comprising secured functions and pre-defined mitigating actions.
  • the result of the determination may indicate tampering of the web application.
  • the result of the determination may comprise a next function information to be invoked for the web application.
  • connection module may optionally further establish a connection with a second trusted module in order to obtain the verification result.
  • the second trusted module may provide at least one function offered by the trusted module and/or at least one function not offered by the trusted module.
  • a fourth aspect of the present invention is directed to a client device comprising a network interface module and a processor executing a web application.
  • the network interface module opens a communication connection between a Partial Execution Stub (PES) function and a trusted module.
  • PES Partial Execution Stub
  • the processor executes the web application by invoking a function of a web application, invoking the PES function during execution of the function of the web application, sending a message call from the PES function with current execution information related to the web application to the trusted module via the communication connection and receiving a verification result from the trusted module related to the message call.
  • the trusted module may be executed on a remote server node.
  • the verification result may indicate tampering of the web application, in which case the processor may further execute a mitigation action.
  • the verification result may also comprise a next function information to be invoked for the web application, in which case the processor further invokes the next function.
  • a fifth aspect of the present invention is directed to a network node for converting a web application to a secured web application.
  • the network node comprises a memory unit and a processor for securing the web application.
  • the memory unit is for storing code of the web application, which comprises more than one function.
  • the processor is for securing the web application by determining, from a function call graph of the web application comprising at least a call dependency from a first function to a second function of the more than one function, that the call dependency from the first function to the second function needs to be protected, and modifying the web application into the secured web application code. Modifying the web application into the secured web application code is performed by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication connection with a trusted module. The PES function requires interaction with the trusted module.
  • PES partial execution stub
  • Modifying the web application into the secured web application code is further performed by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules from the function call dependency graph to define a call dependency from the PES function to the second function.
  • the processor is further securing the web application by storing the secured web application and the set of rules into the memory unit.
  • the processor is exemplified as securing the web application in a dynamic manner. For instance, the processing is applied prior to sending the web application to the client device, but after the web application is installed on a network node.
  • generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration.
  • generating the set of rules is performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit.
  • PEFM Partial Execution Flow Map
  • the first function and the second function are present in the code of the web application as a single function.
  • the processor is further splitting the single function into the first and second functions based on an asset being processed in the single function.
  • the processor may further sign the secured web application prior to storing and encrypt the set of rules prior to storing.
  • Figure 1 shows an exemplary modular representation of different components involved in secured execution of a web application in accordance with the present invention
  • Figure 2 shows an exemplary function splitting in accordance with the present invention
  • Figure 3 shows an exemplary original function dependency in accordance with the present invention
  • Figure 4 shows an exemplary protected application code with incomplete partial execution in accordance with the present invention
  • Figure 5(a) shows an exemplary modular representation and functional diagram of an invocation of F lp to F2p via Flpes2 in accordance with the present invention
  • Figure 5(b) shows an exemplary modular representation and functional diagram of an invocation of Fl p to F2p to F3 via F2pes3 in accordance with the present invention
  • Figure 5(c) shows an exemplary modular representation and functional diagram of an invocation return back from F3 to Flp in accordance with the present invention
  • Figure 5(d) shows an exemplary modular representation and functional diagram of an invocation of F l p to F3 via Fl pes3 in accordance with the present invention
  • Figure 6 shows an exemplary modular representation and functional diagram of a KJava application solution architecture in accordance with the present invention
  • Figure 7 shows an exemplary modular representation and functional diagram of a HTML5 web application protection architecture in accordance with the present invention
  • Figure 8 is an exemplary flow chart of secured execution of a web application in accordance with the teachings of the present invention
  • Figure 9 is an exemplary flow chart of converting a web application to a secured web application in accordance with the teachings of the present invention.
  • Figure 10 is a modular representation of an exemplary a trusted module 1000 in accordance with the teachings of the present invention.
  • Figure 1 1 is a modular representation of an exemplary a network node in accordance with the teachings of the present invention.
  • Figure 12 is a modular representation of an exemplary client device in accordance with the teachings of the present invention. Detailed description
  • Computer programs are generally expressed in some abstract language.
  • the language can be translated using a series of compilation and linking steps to a binary code that can be executed (or interpreted) by a computer (or other processing devices).
  • the programs can also be compiled into a virtual machine instruction set that can be executed on a virtual machine interpreter.
  • Some programming languages do not require the compilation and linking steps, but are interpreted by a language specific interpreter.
  • Protecting interpreted code is a difficult problem as the source code of the application is available at the client and the application has no direct access to the machine hardware.
  • a known attack technique is to analyze the control or logical flow of an application. In order to prevent an attacker to analyze the logical flow of the application, it is possible to remove the control flow from the program and replace it with a runtime access to an address server that provides the application with the information required to continue execution. Such possibility is currently only available for native execution environments and not to non-native languages and environments.
  • RPC Remote Procedure Calls
  • CORBA Common Object Request Broker Architecture
  • SOAP Simple Object Access Protocol
  • Trust modules are used in various applications and take the form of smart cards, dongles and cryptographic modules. These are commonly used to perform some attack sensitive functions. Moving these functions to a more attack-resistant environment increases the security of the application executing in a more open execution environment. Digital Rights Management (DRM) clients implement similar trust module functions using software. It is possible to have a software application implementing a standard decoder for compressed video streams where some data structures in the standard decoder need to be adapted by software executing in a more tamper-resistant environment.
  • DRM Digital Rights Management
  • non-native execution environments such as web browsers, JVM and other scripting environments
  • Exemplary causes include: [0057] 1.
  • attackers can access a high level language description of the application, and modify underlying code and execution logics including control flow and decision information.
  • Non-native applications are shielded from the details of the underlying hardware or operating system.
  • the non-native applications do not directly access security resources provided by the computing platform and do not use strong protection enabled by and built up on the native computing platforms.
  • An application engine, a virtual machine (run-time environment), or scripting engine is not typically designed and implemented with necessary requirements for white-box security and self-protection. Although they may introduce certain security, they typically only address certain man-in-the-middle vulnerabilities. A fundamental security weakness is typically a good place to start for an attacker that wishes to hack an application. [0060] 4. Many well developed or commercialized software security and protection techniques designed to protect native code cannot be directly adapted to non-native execution environments.
  • Another example of security problems related to securing execution of non-native applications is that the execution of a non-native application typically involves different pieces of software. The different pieces of software are usually provided in different forms and perform interactions at different execution stages. For instance, it is typically easier to do snip and spoof attacks to non-native execution logics compared to native executables. It is likely more difficult to maintain the integrity of the execution of a non-native application.
  • Yet another example of security problems related to securing execution of non-native applications is that many security features and protection mechanisms need to be triggered or involved from the protected execution of a non-native application.
  • security features are not tightly integrated and interwoven with the original functional execution logic of the non-native application, they can easily be skipped or removed from the protected execution leading to the overall security from such protections being compromised. Hence, securing execution against any attack in the protected execution shall result into failure of the protected non-native application to execute, thereby preventing attacker to achieve the goals and access protected assets.
  • the trusted module should be a well protected component and provide a set of protections.
  • the trusted module may provide for a trusted zone as a root of trustiness extending to a non-native application by an execution-enabling mechanism between the non-native application code and the trusted module.
  • the present invention aims at securing applications by moving control flow decisions and sensitive functions from the actual application to a trusted module generating an adapted application and protected data that needs to be processed by a trusted module.
  • this objective is achieved by interlacing application code (non-native side) and trusted module (can be native side, or non-native or in other forms including implemented in hardware) by using partial execution dependencies, which are processed and generated statically or dynamically by a tool.
  • the new adapted application code only contains incomplete execution logics.
  • the remaining execution logics and certain sensitive functions are represented in partial execution dependencies that can be managed and accessed only by the trusted module, and not directly from the protected non-native application code.
  • an adapted (e.g., secured) application connects to the trusted module and transmits its current point of execution and some context information.
  • the trusted module processes the context data based on the current point of execution and the protected data, which may include code for the trusted module.
  • the real execution of the protected application may be constructed dynamically by using partial execution dependencies by interacting with the trusted module.
  • the adapted application obtains modified context information and a new control point where the adapted application continues its execution.
  • An original execution flow is protected by execution within the trusted module.
  • the trusted module can be connected by using an execution-enabling mechanism (e.g., an Application Programming Interface (API)) between the protected application and the trusted module (e.g., JNl between Java and native code) or communication channels such as sockets or remote connections to connect the protected application and the trusted module.
  • an execution-enabling mechanism e.g., an Application Programming Interface (API)
  • API Application Programming Interface
  • Websocket can provide a connection to serve both local and remote communications between an application and trusted modules. It is possible to use a WebSocket API to connect a HTML5 web application with a local or/and remote trusted module or connect a local trusted module with a remote trusted module.
  • Such a communication capability can empower, simplify and standardize some implementation of this invention.
  • Secured application that would be subjected to an attack (e.g., to hacking), such as trying to skip execution through the trusted module may thus cause wrong behavior or incomplete execution of the original application.
  • This technique is thus able to improve trustworthiness of distributed application execution compared to current mechanism.
  • connection methods to bridge execution between the protected application and the trusted module may require design and implementation of partial execution dependencies. If there is an execution extension interface between non-native and native, such as JNl, partial execution dependencies can be represented directly in code form or through more advanced protections. If there is no such execution interface, such as kJava environment or HTML5 Websockets in a web browser environment, partial execution dependencies need to be represented as symbolic forms that can be passed by communication channels. In HTML5, protections can be further enhanced by providing function decryption during execution such that the function is unencrypted and dynamically loaded into the web browser page. [0069] The present invention extends the function of an external trust module with root of trustiness and secured capabilities. The trusted module calculates a next execution point for the execution/interpretation and processes context information that allows the trusted application to implement some security sensitive operations and return modified context information.
  • a function is one of most basic and important functional constructs of software.
  • a call dependency of an application code contains one of most important execution logics that layout structural relationship between different functions that are functional components.
  • Executable code by nature, self-contains such a dependency. Therefore, it is relatively easy to alter the execution by modifying call dependency to tamper original execution.
  • certain functions are critical because they involve valuable digital assets, such as crypto keys, IP algorithms, bank account numbers, login passwords, proprietary business logics, etc., that require necessary protection. From attacking purpose, those functions become main targets for attacks. Securing the execution is to protect those functions and call dependencies between those functions to guarantee the integrity of the original execution of the application.
  • Figure 1 shows an exemplary overview of securing execution via dynamic partial execution.
  • Figure 1 shows a non-native execution environment 100, a trusted module 1 10, a communication (e.g., socket) connection 120 between the non-native execution environment 100 and the trusted module 1 10 and a secured storage 130.
  • PES partial execution stubs
  • a protected application code contains, statically, only partial execution information. Without knowing dynamically-removed partial execution flow information within the trusted module 120, the entire application cannot execute completely and correctly.
  • This secured execution interlacing extends application execution with the trusted module 129 (or other third party security modules) during the execution. It provides an opportunity for various additional protection features to be deployed by the trusted module 120.
  • Figure 2 shows an exemplary function splitting in accordance with the present invention.
  • An original execution can be enhanced by necessary function splitting, e.g., for security purpose.
  • a function can be split into two or more than two smaller functions by introducing new invoking relationship. For example, there are two functions, Fl and F2.
  • Fl and F2 We can split F l into three smaller functions Fl 1 , F 12 and F13. This is a technique that can be applied in source code level, intermediate code level or binary code level. On source code level, it can be done manually with some security code guideline.
  • a record of the PEFM 132 is formatted with four elements:
  • Next function specify necessary information of next function to be invoked by current caller.
  • the information can be different.
  • the information of next function may contain class name and method name whereas in HTML5, it may contain a page or document object model of the web page and the javaScript function name.
  • Trusted functions specify a set of functions that have been linked with the trusted module and can be executed by invoking mechanism within the trusted module. Normally, these functions are some special functions offered by the trusted module or some original functions have been implemented in a way that can be loaded into the trusted module. Trusted functions can be deployed with the trusted module at installation time, and/or dynamically linked with the trusted module at runtime. The nature of types of trusted functions and how they are deployed can be dependent on the trusted module implementation. Exemplary trusted functions include cryptographic operations and integrity verification functions. In addition, while processing a web application, it may be possible to analyze a web page content and extract sensitive functions for trusted function invocation. These trusted functions can be delivered to the trusted module in encrypted form, and loaded, decrypted and executed by the trusted module.
  • Security actions specify a set of security features that the trusted module can do prior to returning search result. It is optional and up to user's requests during build-time. Also, it can be driven by security policy.
  • FIG. 3 and 4 respectively show an exemplary original function dependency and an exemplary protected application code with incomplete partial.
  • the example of Figures 3 and 4 is useful in illustrating partial execution flow in more details.
  • a processing tool can take the following steps to generate the protected application code only with partial execution and a symbolic PEFM:
  • Step 1 If necessary, do function splitting based on some security requirements. This step is not required in the present example.
  • Step 2 Analyze the call graph and identify the important functions and their call dependencies for protection by requests from a user as input options and configuration to the tool. In the present example, we would like to protect Fl and F2 and call dependencies of F l calling F2, Fl calling F3 and F2 calling F3.
  • Step 3 For each of functions to be protected and for each calling dependency that requires to be protected
  • a PES function is created.
  • the PES function can accept real parameters from caller function and pass them to the callee function that will be dynamically determined. Also, the PES function needs to facilitate the communication with a communication (e.g., socket) connection with the trusted module. For example, for F l calling F2, we create Fl pes2 stub function.
  • F l calling F2 is replaced by invoking Fl pes2 stub function.
  • a record of PEFM is created with filling necessary information.
  • the record of PEFM can be set as follows: [0092] i. Current caller: Fl p
  • Step 4 Process trusted functions.
  • Step 5 Generate a protected application code that only contain incomplete execution dependencies.
  • Step 6 Generate a symbolic PEFM and then encrypt it by using white-box cryptographic methods.
  • Step 7 Perform the signing to protected code of the non-native application and generate integrity verification (IV) voucher.
  • Step 8 Encrypt PEDM and IV voucher using white-box cryptographic methods and pack them into a easy-deploy package
  • [00105] Depending on the business model, there are typical four deployment models: [00106] 1. Deploy both of the protected application code, trusted module and partial execution package into a client environment. The protected application code should look like normal application. It still can be applied by other protection techniques like normal applications. For example, you can still apply secure loader protection. The partial execution package must be stored into local secured storage where the trusted module is able to access. [00107] 2. Deploy the protected application code and trusted module into a client environment and partial execution package into a remote trusted storage. The key difference between this model and above model is that partial execution package needs to be deployed into a remote storage server that can be accessed by the trusted module via remote access facility.
  • Protection can be on-line or off-line or switch between locally or remotely, making attacks difficult.
  • the present invention is not meant to be limited to any of the foregoing scenarios, but can be very flexible and applied to achieve strong protection and flexible renewability.
  • the protection can take its effects when the protected application is running on a device.
  • the example of Figures 3 and 4 is reused to discuss securing the execution by using the dynamic partial execution with reference to Figures 5(a), (b), (c) and (d).
  • a protected function F l p
  • a particular PES function Fl pes2
  • the F l pes2 function accepts inputs and then sends a down call message with current execution information, in which F l p is identified as the current caller and F1 pes2 is identified as the current PES.
  • the down call message is sent to a trusted module 520 through a communication (e.g., socket) connection 510 to inquire a next method to be executed.
  • the trusted module 520 will use this current execution information to search the next function to be executed from the secured PEFM located in a secured storage 530.
  • a search component, PE Handler, within the trusted module 520 can decrypt and access the PEFM securely by using white-box crypto and search whether the current execution information can match a record of PEFM. If the search fails, it indicates that the current call dependency is tampered and an attack is detected such that the current execution will be on-hold and entry mitigating stage. Otherwise, the search is successful and it indicates that the current execution can be continuing.
  • the trusted module 520 gets research results of next function and security actions. Next, the security agent of the trusted module 520 can perform those security actions, for example integrity verification and anti-debug.
  • the trusted module 520 will send a response message to the F lpes2 via the communication connection 510 with the next function information to be invoked as the result back. Otherwise, other attacks will be detected by the trusted module 520, through using those security features and the current execution, should enter the mitigating stage.
  • the F 1 pes2 After the F 1 pes2 receives the next function information from the trusted module 520, the F l pes2 invokes the F2p and pass necessary parameters received while Flp called accordingly in order to continue the execution of this protected application.
  • the current execution extends to a protected function (F2p).
  • F2pes3 When F2pes3 is invoked, it acts similarly to the Fl pes2 with a set of real parameters, which are parameters that original F2 would use to invoke original F3.
  • the F2pes3 function accepts these parameters and then sends message to the trusted module 520 with current execution information, in which F2p is identified as the current caller and F2pes3 is identified as the current PES, to the trusted module 520 through the communication connection 510 to inquire a next method to be executed. Similarly, the trusted module 520 uses the new current execution information to search the next function for F2p to be executed from the secured PEFM. The process above is not repeated, for sake of conciseness.
  • the trusted module 520 returns F3 as the next function to the F2pes3, it then passes the received parameters to the F3 and invoke the F3.
  • the current execution returns back to the F2pes3 and then return back to the F2p, and then return back to the Fl pes2 and finally return back to Fl p, which is particularly illustrated on Figure 5(c).
  • FIG. 6 shows an exemplary modular representation and functional diagram of a Java application solution architecture.
  • Figure 7 shows an exemplary modular representation and functional diagram of a HTML5 web application protection architecture. The techniques presented above with reference to a HTML5 web application is reused. With Websockets, the general architecture of partial execution protection can be more flexible in terms of deployment strategy of trusted modules and partial execution information.
  • HTML5 web application protection architecture via partial execution HTML5 web application protection architecture via partial execution
  • Java application solution architecture via partial execution Java application solution architecture via partial execution
  • the page can be changed dynamically during execution, so function code can be stored in the trust module and retrieved/decrypted at page execution time, and can also be removed from the page.
  • ⁇ Protected HTML page only contains partial execution information. Without knowledge of the dynamically removed partial execution info within Trusted Module, the entire application cannot function. [00133] ⁇ A web application, or different web applications can connect to one or different trusted modules locally or/and remotely. Different trusted modules can offer overlap or different security features to make attacks difficult. Also, necessary redundancy introduced by multiple trusted modules locally or remotely or both can make renewability and protection effective or flexible.
  • the present invention is expected to be useful to secure applications implemented using scripted languages, interpreted languages and virtual machines.
  • the trusted module can be either a software module or a hardware module. Adoption of virtual machines (e.g., BD+ VM) in SetTop Boxes (STB) is also considered in order to improve updating of the CA client in the STB.
  • the smart card could also implement the dynamic control flow functions as described in this invention.
  • the present invention may also enable deployment of a trusted module solution to much wider non-native execution environments with a better protection to secure the execution of a non-native application.
  • FIG. 8 shows an exemplary flow chart of secured execution of a web application in accordance with the teachings of the present invention.
  • a function of the web application is invoked 810.
  • a Partial Execution Stub (PES) function is invoked during execution of the function of the web application 820.
  • the PES function may optionally establish a communication (e.g., socket) connection with a trusted module (not shown).
  • a message call with current execution information related to the web application is then sent from the PES function 830.
  • the message call is sent to the trusted module.
  • the message call may be sent over the communication connection.
  • a verification result is thereafter received by the PES function from the trusted module related to the message call 840.
  • the message call may be sent and the verification message over the communication connection.
  • the communication connection may be a local or remote socket connection or a websocket connection for handling local or remote connections.
  • the trusted module may be executed on a server node or locally in the client device.
  • the verification result may indicate tampering of the web application, in which case the PES function may invoke a mitigation function (not shown).
  • the mitigation action can vary and may involve, e.g., returning incorrect next function information, returning an invalid function definition, or returning a standard error function or result, causing the application behavior to fail immediately, gradually or execute incorrectly.
  • the verification result may alternatively comprise a next function information to be invoked for the web application. It may further comprise none or some parameter(s) required by the next function. In this latter case, the method follows with invoking the next function (not shown).
  • a second message call may be sent to a second trusted module from the PES function with further current execution information related to the web application.
  • the second trusted module may provide at least one function not offered by the trusted module.
  • the PES function may thereafter receive a second verification result (not shown) from the second trusted module related to the second message call.
  • the PES function may also alternatively forward the message call (not shown) with current execution information related to the web application to the second trusted module in response to the verification result.
  • the second trusted module may provide at least one function offered by the trusted module and the verification result may indicate that the required processing was not performed by the first trusted module, indicate that a timeout was received as the verification result from the trusted module, etc.
  • the PES function may thereafter receive a second verification result (not shown) from the second trusted module related to the forwarded message call.
  • Figure 9 shows an exemplary flow chart of converting a web application to a secured web application.
  • the secured web application may be obtained by applying static and/or dynamic processing techniques. The determination of what combination of processing techniques depends on implementation choice being the web application.
  • code of the web application is read from a memory unit (not shown).
  • the code comprises multiple functions.
  • the function call graph comprises at least a call dependency from a first function to a second function of the multiple functions. It is then determined that the call dependency from the first function to the second function needs to be protected (910).
  • the web application is thus modified into the secured web application code by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication (e.g., socket) connection with a trusted module (920).
  • the PES function requires interaction with the trusted module in order to perform the action previously taken by the second function.
  • the web application is further modified into the secured web application code by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function (940) and generating a set of rules to define a call dependency from the PES function to the second function (950).
  • the secured web application and the set of rules are stored into the memory unit. Once the secured web application is obtained, it may be delivered to one or more client device.
  • generating the set of rules may be performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit (not shown).
  • Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration (not shown).
  • the first function and the second function may be present in the code of the web application as a single function. It may be necessary to split the single function into the first and second functions (not shown) based on an asset being processed in the single function (e.g., the single function may be read from the memory unit, split and stored to the memory unit as the first and second functions, which happens prior to reading the first and second functions therefrom).
  • the symbolic PEFM may comprise a record comprising a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function, a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry, a next function element identifying the second function and providing information necessary for invocation of the second function, a trusted functions element identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module and a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
  • FIG. 10 shows a trusted module 1000 for securing execution of a web application executing on a client device.
  • the trusted module comprises a network interface module 1010, a function call module 1020 and a verification module 1030.
  • the trusted module may also comprise a security module (not shown).
  • the network interface module 1010 is for receiving a communication (e.g., socket) connection request from a Partial Execution Stub (PES) function of the web application.
  • the function call module 1020 is for receiving a message call from the PES function via the communication connection.
  • the message call comprises current execution information related to the web application.
  • the verification module 1030 is for determining, based on the current execution information, a next function to be executed for the web application and sending a result of the determination to the PES function via the communication connection.
  • PES Partial Execution Stub
  • the trusted module 1000 may be executed on a server node (not shown) remote from the client device executing the web application or on the client device (not shown).
  • the security module (not shown) may comprise secured functions and pre-defined mitigating actions.
  • the result of the determination may indicate tampering of the web application.
  • the result of the determination may comprise a next function information to be invoked for the web application and may further comprise none or some parameter(s) required by the next function.
  • Figure 1 1 shows a network node 1 100 for converting a web application to a secured web application.
  • the network node 1 100 comprises a memory unit 1 140 and a processor 1 150 for securing the web application.
  • the memory unit 1 140 is for storing code of the web application, which comprises multiple functions.
  • the processor 1 150 is for securing the web application by determining, from a function call graph of the web application, that at least a call dependency from a first function to a second function of the web application needs to be protected.
  • the processor 1 150 is also for modifying the web application into the secured web application code. Modifying the web application into the secured web application code is performed by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication (e.g., socket) connection with a trusted module (not shown).
  • PES partial execution stub
  • the PES function requires interaction with the trusted module in order to perform the action originally taken by the second function.
  • Modifying the web application into the secured web application code is further performed by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules to define a call dependency from the PES function to the second function.
  • the processor 1 150 is further for securing the web application by storing the secured web application and the set of rules into the memory unit 1 140.
  • generating the set of rules may be performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit 1 140 may be performed by storing the symbolic PEFM into the memory unit.
  • Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration (not shown).
  • the first function and the second function may be present in the code of the web application as a single function.
  • the processor 1 150 may then further split the single function into the first and second functions based on an asset being processed in the single function.
  • the processor 1 150 may further sign the secured web application prior to storing and encrypt the set of rules (or symbolic PEFM) prior to storing.
  • the processor 1 150 may represent a single processor with one or more processor cores or an array of processors, each comprising one or more processor cores.
  • the memory unit 1 140 may comprise various types of memory (different standardized or kinds of Random Access Memory (RAM) modules, memory cards, Read-Only Memory (ROM) modules, programmable ROM, etc.).
  • Storage devices module (not shown) may be further be present as one or more logical or physical as well as local or remote hard disk drive (HDD) (or an array thereof).
  • the storage devices module may further represent a local or remote database made accessible to the network node 1 100 by a standardized or proprietary interface.
  • the optional network interface module 1 1 10 represents at least one physical interface that can be used to communicate with other network nodes.
  • the optional network interface module 1 1 10 may be made visible to the other modules of the network node 1 100 through one or more logical interfaces.
  • the actual stacks of protocols used by the physical network interface(s) and/or logical network interface(s) of the optional network interface module 1 1 10 do not affect the teachings of the present invention.
  • the variants of processor 1 150, memory unit 1 140, network interface module 1 1 10 and storage devices module usable in the context of the present invention will be readily apparent to persons skilled in the art. Likewise, even though explicit mentions of the memory module 1 140 and/or the processor 1 150 are not made throughout the description of the present examples, persons skilled in the art will readily recognize that such modules are used in conjunction with other modules of the network node 1 1 10 to perform routine as well as innovative steps related to the present invention.
  • FIG. 12 shows a client device 1200 comprising a network interface module 1210 and a processor 1250 executing a web application.
  • the network interface module 1210 opens a communication (e.g., socket) connection between a Partial Execution Stub (PES) function and a trusted module (not shown).
  • the communication connection may be a local or remote socket connection or a websocket.
  • the processor 1250 executes the web application by invoking a function of a web application, invoking the PES function during execution of the function of the web application, sending a message call from the PES function with current execution information related to the web application to the trusted module via the communication connection and receiving a verification result from the trusted module related to the message call.
  • the trusted module may be executed on a remote server node (not shown).
  • the verification result may indicate tampering of the web application, in which case the processor 1250 may further execute a mitigation action.
  • the verification result may also comprise a next function information to be invoked for the web application and may, if applicable, comprise one ore more parameter required by the next function.
  • the processor 1250 further invokes the next function.
  • the processor 1250 may represent a single processor with one or more processor cores or an array of processors, each comprising one or more processor cores.
  • the optional memory unit 1240 may comprise various types of memory (different standardized or kinds of Random Access Memory (RAM) modules, memory cards, Read-Only Memory (ROM) modules, programmable ROM, etc.).
  • Storage devices module (not shown) may be further be present as one or more logical or physical as well as local or remote hard disk drive (HDD) (or an array thereof).
  • the storage devices module may further represent a local or remote database made accessible to the client device 1200 by a standardized or proprietary interface.
  • the network interface module 1210 represents at least one physical interface that can be used to communicate with other network nodes.
  • the network interface module 1210 may be made visible to the other modules of the client device 1200 through one or more logical interfaces.
  • the actual stacks of protocols used by the physical network interface(s) and/or logical network interface(s) of the network interface module 1210 do not affect the teachings of the present invention.
  • the variants of processor 1250, optional memory unit 1240, network interface module 1210 and storage devices module usable in the context of the present invention will be readily apparent to persons skilled in the art.
  • the optional memory module 1240 and/or the processor 1250 are not made throughout the description of the present examples, persons skilled in the art will readily recognize that such modules are used in conjunction with other modules of the client device 1200 to perform routine as well as innovative steps related to the present invention.
  • deployment models may be used.
  • the chosen deployment model may be affected by, for instance, by security requirements and the functional nature of the web applications.
  • the following four exemplary deployment models, among others, are provided.
  • a first deployment model could be to deploy a secured web application with PES functions, one or more trusted modules and the PEFM into a client environment.
  • the PEFM may be stored into local secured storage accessible locally to the trusted module.
  • This first example of deployment model can provide support for off-line secured web application execution.
  • a second deployment model could be to deploy the secured web application with PES functions and one r more trusted modules into a client environment and the PEFM into a remote secured storage that can be accessed by the trusted module via remote connection and access facility.
  • a third deployment model could be to deploy the secured web application with PES functions into a client environment, and one or more trusted modules and the PEFM into one or more remote network nodes.
  • the secured storage that can be accessed by PES functions via remote connection and access facility.
  • a fourth deployment model could be to combine the first three models to deploy the secured web application with PES functions into a client environment different sets of characteristics. For instance, in the client environment, there could be one or more trusted modules and some PEFM stored in local secured storage while one or more trusted modules are stored in remote servers or cloud environments, and some PEFM is stored in remote secured storage. In such an example, dynamic execution dependency can be coordinated by correlating different trusted modules locally and remotely. Execution of protected function may occur on-line or off-line, or a mix of both, which likely renders attacks even more difficult. [00166] A method is generally conceived to be a self-consistent sequence of steps leading to a desired result. These steps require physical manipulations of physical quantities.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Multimedia (AREA)
  • Technology Law (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Methods and nodes for securing execution of a web application by determining that a call dependency from a first to a second function needs to be protected, adding a Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module. Methods and nodes for secured execution of a web application by invoking a function of the web application, invoking a Partial Execution Stub (PES) function during execution of the function of the web application, sending, from the PES function, a message call with current execution information to a trusted module and receiving, a verification result from the trusted module.

Description

SECURED EXECUTION OF A WEB APPLICATION
Technical field
[0001] The present invention relates to secured execution of a web application. Background [0002] Wireless interconnectivity and devices are dominant technologies being deployed and used in everyday life, whether for business use or personal use. In addition, cloud computing is changing information cultures and is part of an emerging business strategy for a new delivery model for Internet-based computation services, application software, data access, and storage. Security associated with untrusted environments becomes challenging. Traditional computer and network security schemes are inadequate to address vulnerabilities and attacks associated to these untrusted systems.
[0003] A web application is an application that is accessed over a network such as the Internet or an intranet by using web browsers, and is coded in a browser-supported language (such as JavaScript, combined with a browser-rendered markup language like HTML). The web application relies on a common web browser to render the application executable. The ability to update and maintain web applications without distributing and installing software on potentially thousands of client computers is a key reason for their popularity, as is the inherent support for cross-platform compatibility. Compared to early HTML and JavaScript to the latest HTML5, latest web applications are becoming platform and browsers independent. Browsers are also providing application execution environments. When compared to native execution environments, secured execution of a web application provides new challenges. Pressure is greater than before on mobile device manufacturers (whether smart phones or tablets) and network operators to maintain costs at the lowest possible level. Yet, execution of the same web application should provide the same functionality, no matter what device it is executed on. For lower end devices, resources are usually more limited, which creates additional pressure on the web applications.
[0004] For example, KJava on Symbian platform is a scaled down Java Virtual Machine (JVM) designed for mobile platforms. KJava contains a subset of the Java 2 Standard Edition (J2SE) packages and implements restricted Mobile Information Device Profile (MIDP) and restricted Connected Limited Device Configuration (CLDC) profiles. For instance, restrictions include 1) no support for Java Native Interface (JNI); 2) limited reflection capabilities (e.g., limited ability to examine or modify runtime behavior); 3) no custom class loaders (e.g., no ability to fine tune behavior of the class loader).
[0005] Exemplary limitations related to execution resources or environment restrictions have been mentioned and are of particular relevance in the context securing web application execution, which is generally addressed in the present application.
Summary [0006] The present invention aims generally at providing protection techniques to secure execution of web applications within non-native execution environments. In general, a client device should support running applications on-line (internet connected) or off-line (not internet connected). Securing the execution of such applications should be persistent, no matter whether it runs on-line or off-line. The present invention provides a general framework that allows for secured execution of an application on-line or off-line, although the protection techniques can leverage specific aspects of on-line or off-line execution.
[0007] A first aspect of the present invention is directed to a method for securing execution of a web application comprising. The method comprises, on a processor of a client device, invoking a function of the web application. The method follows with, on the processor of the client device, invoking a Partial Execution Stub (PES) function during execution of the function of the web application. The method then continues, from the PES function, with sending a message call with current execution information related to the web application. The message call is sent to a trusted module. A verification result is thereafter received by the PES function from the trusted module related to the message call. [0008] Optionally, the method may also comprise establishing, by the PES function, a communication connection with the trusted module. In this option, the message call is sent via the socket connection and the verification result is received via the communication connection. The communication connection may be a local or remote socket connection or a websocket connection that can be used for both local and remote connections. The trusted module may be executed on a server node or locally in the client device. [0009] In one option, a second message call is sent to a second trusted module from the PES function with further current execution information related to the web application. For instance, the second trusted module may provide at least one function not offered by the trusted module. The PES function may thereafter receive a second verification result from the second trusted module related to the second message call.
[0010] In another option, the PES function may forward the message call with current execution information related to the web application to a second trusted module in response to the verification result. For instance, the second trusted module may provide at least one function offered by the trusted module and the verification result may indicate that the required processing was not performed by the first trusted module or indicate that a timeout from the trusted module was received as the verification result. The PES function may thereafter receive a second verification result from the second trusted module related to the forwarded message call.
[0011] Optionally, the verification result may indicate tampering of the web application, in which case the method may further comprise, from the PES function, invoking a mitigation action. The mitigation action can vary and may involve, e.g., returning incorrect next function information, returning an invalid function definition, or returning a standard error function or result, causing the application behavior to fail immediately, fail gradually or execute incorrectly. [0012] The verification result may alternatively comprise a next function information to be invoked for the web application. In this latter case, the method may follow with invoking the next function. The method may also follow with returning a function to the web application for injection into the web application and subsequent invocation.
[0013] A second aspect of the presented invention is directed to a method executed in a network node for converting a web application to a secured web application. The secured web application may be obtained by applying static and/or dynamic processing techniques. The determination of what combination of processing techniques depends on implementation choice being the web application. In this second aspect, the processor is exemplified as securing the web application in a static manner. For instance, the processing is applied to the web application prior to deploying the web application.
[0014] The method comprises reading, at the network node, code of the web application from a memory unit. The code comprises more than one function. Thereafter, the method continues with determining from a function call graph of the web application, that at least a call dependency from a first function to a second function of the more than one function needs to be protected. The web application is thus modified into the secured web application code by adding to the code of the web application, a at least one Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module. The PES function requires interaction with the trusted module. The web application is further modified into the secured web application code by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules from the function call dependency graph to define the call dependency from the PES function to the second function. Thereafter, the method follows with, at the network node, storing the secured web application into the memory unit and the set of rules into the memory unit. Once the secured web application is obtained, it may be delivered to one or more client device.
[0015] Optionally, a plurality of PES functions may be present and each one of those may be related to a call dependency.
[0016] Optionally, generating the set of rules is performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit. Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration.
[0017] As another option, the first function and the second function may be present in the code of the web application as a single function. The method may thus further comprise splitting the single function into the first and second functions based on an asset being processed in the single function. [0018] The set of rules (or the symbolic PEFM) may comprise a record comprising a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function, a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry, a next function element identifying the second function and providing information necessary for invocation of the second function, an element of trusted functions identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module and a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
[0019] The method may also optionally comprise signing the secured web application prior to storing and encrypting set of rules prior to storing. [0020] A third aspect of the present invention is directed to a trusted module for securing execution of a web application executing on a client device. The trusted module comprises a connection module, a function call module and a verification module.
[0021] The connection module is for receiving a communication connection request from a Partial Execution Stub (PES) function of the web application. The function call module is for receiving a message call from the PES function via the communication connection. The message call comprises current execution information related to the web application. The verification module is for determining, based on the current execution information, a next function to be executed for the web application and sending a result of the determination to the PES function via the communication connection. [0022] The trusted module may be executed on a server node remote from the client device executing the web application or on the client device. The trusted module may further comprise a security module comprising secured functions and pre-defined mitigating actions.
[0023] Optionally, the result of the determination may indicate tampering of the web application. Alternatively, the result of the determination may comprise a next function information to be invoked for the web application.
[0024] The connection module may optionally further establish a connection with a second trusted module in order to obtain the verification result. The second trusted module may provide at least one function offered by the trusted module and/or at least one function not offered by the trusted module. [0025] A fourth aspect of the present invention is directed to a client device comprising a network interface module and a processor executing a web application. The network interface module opens a communication connection between a Partial Execution Stub (PES) function and a trusted module. The processor executes the web application by invoking a function of a web application, invoking the PES function during execution of the function of the web application, sending a message call from the PES function with current execution information related to the web application to the trusted module via the communication connection and receiving a verification result from the trusted module related to the message call.
[0026] Optionally, the trusted module may be executed on a remote server node.
[0027] The verification result may indicate tampering of the web application, in which case the processor may further execute a mitigation action. Alternatively, the verification result may also comprise a next function information to be invoked for the web application, in which case the processor further invokes the next function.
[0028] A fifth aspect of the present invention is directed to a network node for converting a web application to a secured web application. The network node comprises a memory unit and a processor for securing the web application.
[0029] The memory unit is for storing code of the web application, which comprises more than one function.
[0030] The processor is for securing the web application by determining, from a function call graph of the web application comprising at least a call dependency from a first function to a second function of the more than one function, that the call dependency from the first function to the second function needs to be protected, and modifying the web application into the secured web application code. Modifying the web application into the secured web application code is performed by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication connection with a trusted module. The PES function requires interaction with the trusted module. Modifying the web application into the secured web application code is further performed by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules from the function call dependency graph to define a call dependency from the PES function to the second function. The processor is further securing the web application by storing the secured web application and the set of rules into the memory unit. In the fifth aspect, the processor is exemplified as securing the web application in a dynamic manner. For instance, the processing is applied prior to sending the web application to the client device, but after the web application is installed on a network node.
[0031] Optionally, generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration. [0032] Optionally, generating the set of rules is performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit.
[0033] As another option, the first function and the second function are present in the code of the web application as a single function. The processor is further splitting the single function into the first and second functions based on an asset being processed in the single function.
[0034] The processor may further sign the secured web application prior to storing and encrypt the set of rules prior to storing.
Brief description of the drawings [0035] In the appended drawings:
[0036] Figure 1 shows an exemplary modular representation of different components involved in secured execution of a web application in accordance with the present invention;
[0037] Figure 2 shows an exemplary function splitting in accordance with the present invention; [0038] Figure 3 shows an exemplary original function dependency in accordance with the present invention;
[0039] Figure 4 shows an exemplary protected application code with incomplete partial execution in accordance with the present invention;
[0040[ Figure 5(a) shows an exemplary modular representation and functional diagram of an invocation of F lp to F2p via Flpes2 in accordance with the present invention;
[0041] Figure 5(b) shows an exemplary modular representation and functional diagram of an invocation of Fl p to F2p to F3 via F2pes3 in accordance with the present invention;
[0042] Figure 5(c) shows an exemplary modular representation and functional diagram of an invocation return back from F3 to Flp in accordance with the present invention; [0043] Figure 5(d) shows an exemplary modular representation and functional diagram of an invocation of F l p to F3 via Fl pes3 in accordance with the present invention; [0044] Figure 6 shows an exemplary modular representation and functional diagram of a KJava application solution architecture in accordance with the present invention;
[0045] Figure 7 shows an exemplary modular representation and functional diagram of a HTML5 web application protection architecture in accordance with the present invention; [0046] Figure 8 is an exemplary flow chart of secured execution of a web application in accordance with the teachings of the present invention;
[0047] Figure 9 is an exemplary flow chart of converting a web application to a secured web application in accordance with the teachings of the present invention;
[0048] Figure 10 is a modular representation of an exemplary a trusted module 1000 in accordance with the teachings of the present invention;
[0049] Figure 1 1 is a modular representation of an exemplary a network node in accordance with the teachings of the present invention; and
[0050] Figure 12 is a modular representation of an exemplary client device in accordance with the teachings of the present invention. Detailed description
[0051] Computer programs are generally expressed in some abstract language. The language can be translated using a series of compilation and linking steps to a binary code that can be executed (or interpreted) by a computer (or other processing devices). The programs can also be compiled into a virtual machine instruction set that can be executed on a virtual machine interpreter. Some programming languages do not require the compilation and linking steps, but are interpreted by a language specific interpreter.
{0052] Protecting interpreted code is a difficult problem as the source code of the application is available at the client and the application has no direct access to the machine hardware. [0053] A known attack technique is to analyze the control or logical flow of an application. In order to prevent an attacker to analyze the logical flow of the application, it is possible to remove the control flow from the program and replace it with a runtime access to an address server that provides the application with the information required to continue execution. Such possibility is currently only available for native execution environments and not to non-native languages and environments.
[0054] It is possible to perform some functions at a remote computer with special resources, which cannot be easily and/or efficiently be transferred to a client. The details of the remote functions cannot easily be observed by an attacker. Some examples of this technology are Remote Procedure Calls (RPC), Common Object Request Broker Architecture (CORBA) and Simple Object Access Protocol (SOAP).
[0055] Trust modules are used in various applications and take the form of smart cards, dongles and cryptographic modules. These are commonly used to perform some attack sensitive functions. Moving these functions to a more attack-resistant environment increases the security of the application executing in a more open execution environment. Digital Rights Management (DRM) clients implement similar trust module functions using software. It is possible to have a software application implementing a standard decoder for compressed video streams where some data structures in the standard decoder need to be adapted by software executing in a more tamper-resistant environment.
[0056] There are security problems in securing execution of non-native applications. For instance, non-native execution environments, such as web browsers, JVM and other scripting environments, are much less secured than native execution environments. Exemplary causes include: [0057] 1. In interpreted languages, attackers can access a high level language description of the application, and modify underlying code and execution logics including control flow and decision information.
[0058] 2. Non-native applications are shielded from the details of the underlying hardware or operating system. The non-native applications do not directly access security resources provided by the computing platform and do not use strong protection enabled by and built up on the native computing platforms.
[0059] 3. An application engine, a virtual machine (run-time environment), or scripting engine is not typically designed and implemented with necessary requirements for white-box security and self-protection. Although they may introduce certain security, they typically only address certain man-in-the-middle vulnerabilities. A fundamental security weakness is typically a good place to start for an attacker that wishes to hack an application. [0060] 4. Many well developed or commercialized software security and protection techniques designed to protect native code cannot be directly adapted to non-native execution environments.
[0061] Another example of security problems related to securing execution of non-native applications is that the execution of a non-native application typically involves different pieces of software. The different pieces of software are usually provided in different forms and perform interactions at different execution stages. For instance, it is typically easier to do snip and spoof attacks to non-native execution logics compared to native executables. It is likely more difficult to maintain the integrity of the execution of a non-native application. [0062] Yet another example of security problems related to securing execution of non-native applications is that many security features and protection mechanisms need to be triggered or involved from the protected execution of a non-native application. If the security features are not tightly integrated and interwoven with the original functional execution logic of the non-native application, they can easily be skipped or removed from the protected execution leading to the overall security from such protections being compromised. Hence, securing execution against any attack in the protected execution shall result into failure of the protected non-native application to execute, thereby preventing attacker to achieve the goals and access protected assets.
[0063] It is possible to use a trusted module to extend its security services to a non-native application. The trusted module should be a well protected component and provide a set of protections. The trusted module may provide for a trusted zone as a root of trustiness extending to a non-native application by an execution-enabling mechanism between the non-native application code and the trusted module.
[0064] The present invention aims at securing applications by moving control flow decisions and sensitive functions from the actual application to a trusted module generating an adapted application and protected data that needs to be processed by a trusted module. In general, this objective is achieved by interlacing application code (non-native side) and trusted module (can be native side, or non-native or in other forms including implemented in hardware) by using partial execution dependencies, which are processed and generated statically or dynamically by a tool. After this processing, the new adapted application code only contains incomplete execution logics. The remaining execution logics and certain sensitive functions are represented in partial execution dependencies that can be managed and accessed only by the trusted module, and not directly from the protected non-native application code.
[0065] For instance, during execution, an adapted (e.g., secured) application connects to the trusted module and transmits its current point of execution and some context information. The trusted module processes the context data based on the current point of execution and the protected data, which may include code for the trusted module. With this mechanism, the real execution of the protected application may be constructed dynamically by using partial execution dependencies by interacting with the trusted module. As a result the adapted application obtains modified context information and a new control point where the adapted application continues its execution.
(0066] There is no static view of execution logics presented fully by the protected application code. At any state of the execution, only current partial execution becomes visible within the non-native execution environment.
[0067] An original execution flow is protected by execution within the trusted module. The trusted module can be connected by using an execution-enabling mechanism (e.g., an Application Programming Interface (API)) between the protected application and the trusted module (e.g., JNl between Java and native code) or communication channels such as sockets or remote connections to connect the protected application and the trusted module. In the example of HTML5 environment, Websocket can provide a connection to serve both local and remote communications between an application and trusted modules. It is possible to use a WebSocket API to connect a HTML5 web application with a local or/and remote trusted module or connect a local trusted module with a remote trusted module. Such a communication capability can empower, simplify and standardize some implementation of this invention. Secured application that would be subjected to an attack (e.g., to hacking), such as trying to skip execution through the trusted module may thus cause wrong behavior or incomplete execution of the original application. This technique is thus able to improve trustworthiness of distributed application execution compared to current mechanism.
[0068] Connection methods to bridge execution between the protected application and the trusted module may require design and implementation of partial execution dependencies. If there is an execution extension interface between non-native and native, such as JNl, partial execution dependencies can be represented directly in code form or through more advanced protections. If there is no such execution interface, such as kJava environment or HTML5 Websockets in a web browser environment, partial execution dependencies need to be represented as symbolic forms that can be passed by communication channels. In HTML5, protections can be further enhanced by providing function decryption during execution such that the function is unencrypted and dynamically loaded into the web browser page. [0069] The present invention extends the function of an external trust module with root of trustiness and secured capabilities. The trusted module calculates a next execution point for the execution/interpretation and processes context information that allows the trusted application to implement some security sensitive operations and return modified context information.
[0070] As the attacker can no longer easily observe the functional processing in both the adapted application and trusted module, the application is more difficult to reverse engineer.
[0071] From a programming perspective, a function (routine) is one of most basic and important functional constructs of software. In general, a call dependency of an application code contains one of most important execution logics that layout structural relationship between different functions that are functional components. Executable code, by nature, self-contains such a dependency. Therefore, it is relatively easy to alter the execution by modifying call dependency to tamper original execution. From security requirements, certain functions are critical because they involve valuable digital assets, such as crypto keys, IP algorithms, bank account numbers, login passwords, proprietary business logics, etc., that require necessary protection. From attacking purpose, those functions become main targets for attacks. Securing the execution is to protect those functions and call dependencies between those functions to guarantee the integrity of the original execution of the application.
[0072] Reference is now made to the drawings, in which Figure 1 shows an exemplary overview of securing execution via dynamic partial execution. Figure 1 shows a non-native execution environment 100, a trusted module 1 10, a communication (e.g., socket) connection 120 between the non-native execution environment 100 and the trusted module 1 10 and a secured storage 130. Upon analysis of the call graph of a non-application code, it is possible to replace some call dependencies of specific functions (e.g., that can be identified and specified by a user) into symbolic Partial Execution Flow Map (PEFM). The original calls are then replace with partial execution stubs (PES) 102a... 102c that can bridge invoking relationship between protected function codes 104 via the trusted module 1 10. During run-time of the protected application 104, when executing a protected function Fl that intends to invoke next function F2 that is also protected, Fl actually invokes a particular PES 102a such that it holds the current execution and sends a message call with current execution information through the communication connection 1 10 to the trusted module 120 to inquire a next method to be executed. The trusted module 120 will use the current execution information to search the next function to be executed from a secured PEFM 132. If the search is successful, the trusted module 120 can perform some security features, for example integrity verification and anti-debug before returning the next function information to be invoked as the result back to the PES 102a via the communication connection l l o. If the search failed, it indicates that the current call dependency is tampered and an attack is detected. A designated mitigation action may thus be taken by the trusted module. After the PES 102a receives the next function information, the PES 102a passes necessary parameters and invokes the particular function accordingly in order to continue the execution of this protected application 104.
[0073] The following list includes exemplary advantages which may be provided by different embodiments of the present invention:
[0074] · A protected application code contains, statically, only partial execution information. Without knowing dynamically-removed partial execution flow information within the trusted module 120, the entire application cannot execute completely and correctly.
[0075] · This secured execution interlacing extends application execution with the trusted module 129 (or other third party security modules) during the execution. It provides an opportunity for various additional protection features to be deployed by the trusted module 120.
[0076] Figure 2 shows an exemplary function splitting in accordance with the present invention. An original execution can be enhanced by necessary function splitting, e.g., for security purpose. A function can be split into two or more than two smaller functions by introducing new invoking relationship. For example, there are two functions, Fl and F2. We can split F l into three smaller functions Fl 1 , F 12 and F13. This is a technique that can be applied in source code level, intermediate code level or binary code level. On source code level, it can be done manually with some security code guideline.
[0077] For security requirements, if a function contains a number of assets that are processed within some important code segments, it is likely to be more secure to split the function into smaller functions in order to leverage interlacing capability using dynamic partial execution interlacing. Examples of assets that are likely to require protection include crypto keys, IP algorithms, bank account numbers, login passwords and proprietary business logics. [0078] A record of the PEFM 132 is formatted with four elements:
[0079] 1 . Current caller: specify the name of current calling function that requires an inquiry for next function to invoke.
[0080] 2. Current PES stub: specify the name of the current PES stub to invoke the trusted module to trigger the inquiry.
[0081] 3. Next function: specify necessary information of next function to be invoked by current caller. For different non-execution environment, the information can be different. For example, in a JVM, the information of next function may contain class name and method name whereas in HTML5, it may contain a page or document object model of the web page and the javaScript function name.
[0082] 4. Trusted functions: specify a set of functions that have been linked with the trusted module and can be executed by invoking mechanism within the trusted module. Normally, these functions are some special functions offered by the trusted module or some original functions have been implemented in a way that can be loaded into the trusted module. Trusted functions can be deployed with the trusted module at installation time, and/or dynamically linked with the trusted module at runtime. The nature of types of trusted functions and how they are deployed can be dependent on the trusted module implementation. Exemplary trusted functions include cryptographic operations and integrity verification functions. In addition, while processing a web application, it may be possible to analyze a web page content and extract sensitive functions for trusted function invocation. These trusted functions can be delivered to the trusted module in encrypted form, and loaded, decrypted and executed by the trusted module.
[0083] 5. Security actions: specify a set of security features that the trusted module can do prior to returning search result. It is optional and up to user's requests during build-time. Also, it can be driven by security policy.
[0084] Reference is now made concurrently to Figures 3 and 4, which respectively show an exemplary original function dependency and an exemplary protected application code with incomplete partial. The example of Figures 3 and 4 is useful in illustrating partial execution flow in more details. [0085] A processing tool can take the following steps to generate the protected application code only with partial execution and a symbolic PEFM:
[0086] Step 1 : If necessary, do function splitting based on some security requirements. This step is not required in the present example. [0087] Step 2: Analyze the call graph and identify the important functions and their call dependencies for protection by requests from a user as input options and configuration to the tool. In the present example, we would like to protect Fl and F2 and call dependencies of F l calling F2, Fl calling F3 and F2 calling F3.
[0088] 3. Step 3: For each of functions to be protected and for each calling dependency that requires to be protected
[0089] a. A PES function is created. The PES function can accept real parameters from caller function and pass them to the callee function that will be dynamically determined. Also, the PES function needs to facilitate the communication with a communication (e.g., socket) connection with the trusted module. For example, for F l calling F2, we create Fl pes2 stub function.
[0090] b. The original invoking is replaced by invoking the PES stub function.
For example, F l calling F2 is replaced by invoking Fl pes2 stub function.
[0091] c. A record of PEFM is created with filling necessary information. For example, on F l calling F2, the record of PEFM can be set as follows: [0092] i. Current caller: Fl p
[0093] ii. Current PES stub: Fl pes2
[0094] iii. Trusted functions: ignore for this example.
[0095] iv. Next function: F2p
[0096] v. Security actions: Integrity verification if we select this option. [0097] Step 4: Process trusted functions.
[0098] Step 5: Generate a protected application code that only contain incomplete execution dependencies. [0099] Step 6: Generate a symbolic PEFM and then encrypt it by using white-box cryptographic methods.
[00100] Step 7: Perform the signing to protected code of the non-native application and generate integrity verification (IV) voucher. [00101] Step 8: Encrypt PEDM and IV voucher using white-box cryptographic methods and pack them into a easy-deploy package
[00102] After this exemplary processing, a protected application code with protected partial execution dependencies (as illustrated in figure 4) and a record of the PEFM (as illustrated in the following table 1 ) are generated.
Figure imgf000017_0001
[00103] Table 1 : an example of PEFM
[00104] The entire call relationship of an application does not need to be symbolized. Instead, only certain call dependencies between most needed functions and require security features that can be enforced by the trusted module should be symbolized.
[00105] Depending on the business model, there are typical four deployment models: [00106] 1. Deploy both of the protected application code, trusted module and partial execution package into a client environment. The protected application code should look like normal application. It still can be applied by other protection techniques like normal applications. For example, you can still apply secure loader protection. The partial execution package must be stored into local secured storage where the trusted module is able to access. [00107] 2. Deploy the protected application code and trusted module into a client environment and partial execution package into a remote trusted storage. The key difference between this model and above model is that partial execution package needs to be deployed into a remote storage server that can be accessed by the trusted module via remote access facility.
[00108] 3. Deploy the protected application code into a client environment, and a trusted module partial and execution package into a remote trusted storage. The key difference between this model and other models is that the trusted module and partial execution package can be deployed remotely and partial execution package can be stored in a remote storage server that can be accessed by protected application via remote access facility.
[00109] 4. Combine 3 models above together to deploy the protected application code into a client environment with the following possible characteristics: [00110] a. In the client environment, there are one or more trusted modules and some partial execution package is stored in local secured storage.
[00111] b. In remote servers or cloud environments, there are one or more trusted modules and some partial execution package is stored in remote trusted storage.
[00112] c. Dynamical execution dependency will be coordinated by correlations between different trusted modules locally and remotely.
[00113] d. Protection can be on-line or off-line or switch between locally or remotely, making attacks difficult.
[00114] The present invention is not meant to be limited to any of the foregoing scenarios, but can be very flexible and applied to achieve strong protection and flexible renewability. [00115] After a protected application and its partial execution package are deployed, the protection can take its effects when the protected application is running on a device. The example of Figures 3 and 4 is reused to discuss securing the execution by using the dynamic partial execution with reference to Figures 5(a), (b), (c) and (d).
[00116] When executing a protected function (F l p) from a non-native execution environment 500, a particular PES function (Fl pes2) is first invoked with a set of real parameters, which parameters are the ones the original Fl would use to invoke original F2. The F l pes2 function accepts inputs and then sends a down call message with current execution information, in which F l p is identified as the current caller and F1 pes2 is identified as the current PES. The down call message is sent to a trusted module 520 through a communication (e.g., socket) connection 510 to inquire a next method to be executed.
[00117] The trusted module 520 will use this current execution information to search the next function to be executed from the secured PEFM located in a secured storage 530. A search component, PE Handler, within the trusted module 520 can decrypt and access the PEFM securely by using white-box crypto and search whether the current execution information can match a record of PEFM. If the search fails, it indicates that the current call dependency is tampered and an attack is detected such that the current execution will be on-hold and entry mitigating stage. Otherwise, the search is successful and it indicates that the current execution can be continuing. Considering the matching, the trusted module 520 gets research results of next function and security actions. Next, the security agent of the trusted module 520 can perform those security actions, for example integrity verification and anti-debug. If those security features are successful, the trusted module 520 will send a response message to the F lpes2 via the communication connection 510 with the next function information to be invoked as the result back. Otherwise, other attacks will be detected by the trusted module 520, through using those security features and the current execution, should enter the mitigating stage.
[00118] After the F 1 pes2 receives the next function information from the trusted module 520, the F l pes2 invokes the F2p and pass necessary parameters received while Flp called accordingly in order to continue the execution of this protected application.
[00119] Thereafter, the current execution extends to a protected function (F2p). When F2pes3 is invoked, it acts similarly to the Fl pes2 with a set of real parameters, which are parameters that original F2 would use to invoke original F3. The F2pes3 function accepts these parameters and then sends message to the trusted module 520 with current execution information, in which F2p is identified as the current caller and F2pes3 is identified as the current PES, to the trusted module 520 through the communication connection 510 to inquire a next method to be executed. Similarly, the trusted module 520 uses the new current execution information to search the next function for F2p to be executed from the secured PEFM. The process above is not repeated, for sake of conciseness.
[00120] Suppose the trusted module 520 returns F3 as the next function to the F2pes3, it then passes the received parameters to the F3 and invoke the F3. [00121] After execution of F3 is completed, the current execution returns back to the F2pes3 and then return back to the F2p, and then return back to the Fl pes2 and finally return back to Fl p, which is particularly illustrated on Figure 5(c).
[00122] Afterwards, the example continues with, the Fl p invoking F3 via Flpes3, as particularly illustrated in Figure 5 (d). [00123] Figure 6 shows an exemplary modular representation and functional diagram of a Java application solution architecture. [00124] Figure 7 shows an exemplary modular representation and functional diagram of a HTML5 web application protection architecture. The techniques presented above with reference to a HTML5 web application is reused. With Websockets, the general architecture of partial execution protection can be more flexible in terms of deployment strategy of trusted modules and partial execution information.
[00125] Here are some exemplary differences between HTML5 web application protection architecture via partial execution and Java application solution architecture via partial execution:
[00126] · With HTML5, the page can be changed dynamically during execution, so function code can be stored in the trust module and retrieved/decrypted at page execution time, and can also be removed from the page.
[00127] · Initially when web app is loaded (assumption that it is from some remote server), a filter is introduced, which applies dynamic transforms to the page before it reaches the client browser. For example this would have to parse and transform the http response. [00128] · The filter introduce would require the page response, implement transform techniques such as adding partial execution stubs, encrypting functions and replacing standard storage APIs with a specific secure store API (over websocket). Partial execution stubs could be requested by the trust module or pre-provisioned.
[00129] · Because the websocket can make connections between two local application components or between local and remote application components, multiple trusted modules can be introduced.
[00130] · When the web client is online, this also allows the trust module to communicate with the web application to managed transforms, retrieve page code, shared keys, authentication, etc. [00131] There are some identified exemplary security advantages to using the optional HTML5 web applications are obvious:
[00132] · Protected HTML page only contains partial execution information. Without knowledge of the dynamically removed partial execution info within Trusted Module, the entire application cannot function. [00133] · A web application, or different web applications can connect to one or different trusted modules locally or/and remotely. Different trusted modules can offer overlap or different security features to make attacks difficult. Also, necessary redundancy introduced by multiple trusted modules locally or remotely or both can make renewability and protection effective or flexible.
[00134] · This secured execution interlocking extends application execution with Trusted Module during the execution. It provides opportunity for various additional protection features.
[00135] Among other exemplary use cases, the present invention is expected to be useful to secure applications implemented using scripted languages, interpreted languages and virtual machines. The trusted module can be either a software module or a hardware module. Adoption of virtual machines (e.g., BD+ VM) in SetTop Boxes (STB) is also considered in order to improve updating of the CA client in the STB. In addition to processing, the smart card could also implement the dynamic control flow functions as described in this invention. The present invention may also enable deployment of a trusted module solution to much wider non-native execution environments with a better protection to secure the execution of a non-native application.
[00136] Figure 8 shows an exemplary flow chart of secured execution of a web application in accordance with the teachings of the present invention. On a processor of a client device, a function of the web application is invoked 810. A Partial Execution Stub (PES) function is invoked during execution of the function of the web application 820. The PES function may optionally establish a communication (e.g., socket) connection with a trusted module (not shown). A message call with current execution information related to the web application is then sent from the PES function 830. The message call is sent to the trusted module. The message call may be sent over the communication connection. A verification result is thereafter received by the PES function from the trusted module related to the message call 840. The message call may be sent and the verification message over the communication connection. The communication connection may be a local or remote socket connection or a websocket connection for handling local or remote connections.
[00137] The trusted module may be executed on a server node or locally in the client device. [00138] The verification result may indicate tampering of the web application, in which case the PES function may invoke a mitigation function (not shown). The mitigation action can vary and may involve, e.g., returning incorrect next function information, returning an invalid function definition, or returning a standard error function or result, causing the application behavior to fail immediately, gradually or execute incorrectly.
[00139] The verification result may alternatively comprise a next function information to be invoked for the web application. It may further comprise none or some parameter(s) required by the next function. In this latter case, the method follows with invoking the next function (not shown).
[00140] A second message call (not shown) may be sent to a second trusted module from the PES function with further current execution information related to the web application. For instance, the second trusted module may provide at least one function not offered by the trusted module. The PES function may thereafter receive a second verification result (not shown) from the second trusted module related to the second message call. The PES function may also alternatively forward the message call (not shown) with current execution information related to the web application to the second trusted module in response to the verification result. For instance, the second trusted module may provide at least one function offered by the trusted module and the verification result may indicate that the required processing was not performed by the first trusted module, indicate that a timeout was received as the verification result from the trusted module, etc. The PES function may thereafter receive a second verification result (not shown) from the second trusted module related to the forwarded message call.
[00141] Figure 9 shows an exemplary flow chart of converting a web application to a secured web application. The secured web application may be obtained by applying static and/or dynamic processing techniques. The determination of what combination of processing techniques depends on implementation choice being the web application. At a network node, code of the web application is read from a memory unit (not shown). The code comprises multiple functions. The function call graph comprises at least a call dependency from a first function to a second function of the multiple functions. It is then determined that the call dependency from the first function to the second function needs to be protected (910). The web application is thus modified into the secured web application code by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication (e.g., socket) connection with a trusted module (920). The PES function requires interaction with the trusted module in order to perform the action previously taken by the second function. The web application is further modified into the secured web application code by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function (940) and generating a set of rules to define a call dependency from the PES function to the second function (950). The secured web application and the set of rules are stored into the memory unit. Once the secured web application is obtained, it may be delivered to one or more client device.
[00142] Optionally, generating the set of rules may be performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit (not shown). Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration (not shown).
[00143] As another option, the first function and the second function may be present in the code of the web application as a single function. It may be necessary to split the single function into the first and second functions (not shown) based on an asset being processed in the single function (e.g., the single function may be read from the memory unit, split and stored to the memory unit as the first and second functions, which happens prior to reading the first and second functions therefrom). [00144] The symbolic PEFM may comprise a record comprising a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function, a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry, a next function element identifying the second function and providing information necessary for invocation of the second function, a trusted functions element identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module and a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
[00145] Optionally, it is also possible to sign the secured web application prior to storing and encrypting the set of rules (or symbolic PEFM) prior to storing.
[00146] Figure 10 shows a trusted module 1000 for securing execution of a web application executing on a client device. The trusted module comprises a network interface module 1010, a function call module 1020 and a verification module 1030. The trusted module may also comprise a security module (not shown). [00147] The network interface module 1010 is for receiving a communication (e.g., socket) connection request from a Partial Execution Stub (PES) function of the web application. The function call module 1020 is for receiving a message call from the PES function via the communication connection. The message call comprises current execution information related to the web application. The verification module 1030 is for determining, based on the current execution information, a next function to be executed for the web application and sending a result of the determination to the PES function via the communication connection.
[00148] The trusted module 1000 may be executed on a server node (not shown) remote from the client device executing the web application or on the client device (not shown). The security module (not shown) may comprise secured functions and pre-defined mitigating actions. [00149] Optionally, the result of the determination may indicate tampering of the web application. Alternatively, the result of the determination may comprise a next function information to be invoked for the web application and may further comprise none or some parameter(s) required by the next function.
[00150] Figure 1 1 shows a network node 1 100 for converting a web application to a secured web application. The network node 1 100 comprises a memory unit 1 140 and a processor 1 150 for securing the web application.
[00151] The memory unit 1 140 is for storing code of the web application, which comprises multiple functions.
[00152] The processor 1 150 is for securing the web application by determining, from a function call graph of the web application, that at least a call dependency from a first function to a second function of the web application needs to be protected. The processor 1 150 is also for modifying the web application into the secured web application code. Modifying the web application into the secured web application code is performed by adding to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication (e.g., socket) connection with a trusted module (not shown). The PES function requires interaction with the trusted module in order to perform the action originally taken by the second function. Modifying the web application into the secured web application code is further performed by modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function and generating a set of rules to define a call dependency from the PES function to the second function. The processor 1 150 is further for securing the web application by storing the secured web application and the set of rules into the memory unit 1 140. [00153] Optionally, generating the set of rules may be performed by generating a symbolic Partial Execution Flow Map (PEFM) and storing the set of rules into the memory unit 1 140 may be performed by storing the symbolic PEFM into the memory unit. Generating the set of rules may further comprise taking security requirements related to security actions and mitigating actions into consideration (not shown).
[00154] As another option, the first function and the second function may be present in the code of the web application as a single function. The processor 1 150 may then further split the single function into the first and second functions based on an asset being processed in the single function. [00155] The processor 1 150 may further sign the secured web application prior to storing and encrypt the set of rules (or symbolic PEFM) prior to storing.
[00156] The processor 1 150 may represent a single processor with one or more processor cores or an array of processors, each comprising one or more processor cores. The memory unit 1 140 may comprise various types of memory (different standardized or kinds of Random Access Memory (RAM) modules, memory cards, Read-Only Memory (ROM) modules, programmable ROM, etc.). Storage devices module (not shown) may be further be present as one or more logical or physical as well as local or remote hard disk drive (HDD) (or an array thereof). The storage devices module may further represent a local or remote database made accessible to the network node 1 100 by a standardized or proprietary interface. The optional network interface module 1 1 10 represents at least one physical interface that can be used to communicate with other network nodes. The optional network interface module 1 1 10 may be made visible to the other modules of the network node 1 100 through one or more logical interfaces. The actual stacks of protocols used by the physical network interface(s) and/or logical network interface(s) of the optional network interface module 1 1 10 do not affect the teachings of the present invention. The variants of processor 1 150, memory unit 1 140, network interface module 1 1 10 and storage devices module usable in the context of the present invention will be readily apparent to persons skilled in the art. Likewise, even though explicit mentions of the memory module 1 140 and/or the processor 1 150 are not made throughout the description of the present examples, persons skilled in the art will readily recognize that such modules are used in conjunction with other modules of the network node 1 1 10 to perform routine as well as innovative steps related to the present invention. [00157] Figure 12 shows a client device 1200 comprising a network interface module 1210 and a processor 1250 executing a web application. The network interface module 1210 opens a communication (e.g., socket) connection between a Partial Execution Stub (PES) function and a trusted module (not shown). The communication connection may be a local or remote socket connection or a websocket. The processor 1250 executes the web application by invoking a function of a web application, invoking the PES function during execution of the function of the web application, sending a message call from the PES function with current execution information related to the web application to the trusted module via the communication connection and receiving a verification result from the trusted module related to the message call.
[00158] Optionally, the trusted module may be executed on a remote server node (not shown).
[00159] The verification result may indicate tampering of the web application, in which case the processor 1250 may further execute a mitigation action. Alternatively, the verification result may also comprise a next function information to be invoked for the web application and may, if applicable, comprise one ore more parameter required by the next function. The processor 1250 further invokes the next function.
[00160] The processor 1250 may represent a single processor with one or more processor cores or an array of processors, each comprising one or more processor cores. The optional memory unit 1240 may comprise various types of memory (different standardized or kinds of Random Access Memory (RAM) modules, memory cards, Read-Only Memory (ROM) modules, programmable ROM, etc.). Storage devices module (not shown) may be further be present as one or more logical or physical as well as local or remote hard disk drive (HDD) (or an array thereof). The storage devices module may further represent a local or remote database made accessible to the client device 1200 by a standardized or proprietary interface. The network interface module 1210 represents at least one physical interface that can be used to communicate with other network nodes. The network interface module 1210 may be made visible to the other modules of the client device 1200 through one or more logical interfaces. The actual stacks of protocols used by the physical network interface(s) and/or logical network interface(s) of the network interface module 1210 do not affect the teachings of the present invention. The variants of processor 1250, optional memory unit 1240, network interface module 1210 and storage devices module usable in the context of the present invention will be readily apparent to persons skilled in the art. Likewise, even though explicit mentions of the optional memory module 1240 and/or the processor 1250 are not made throughout the description of the present examples, persons skilled in the art will readily recognize that such modules are used in conjunction with other modules of the client device 1200 to perform routine as well as innovative steps related to the present invention. [00161] In accordance with the present invention, in order to deploy one or more web applications, multiple different deployment models may be used. The chosen deployment model may be affected by, for instance, by security requirements and the functional nature of the web applications. The following four exemplary deployment models, among others, are provided.
[00162] A first deployment model could be to deploy a secured web application with PES functions, one or more trusted modules and the PEFM into a client environment. The PEFM may be stored into local secured storage accessible locally to the trusted module. This first example of deployment model can provide support for off-line secured web application execution.
[00163] A second deployment model could be to deploy the secured web application with PES functions and one r more trusted modules into a client environment and the PEFM into a remote secured storage that can be accessed by the trusted module via remote connection and access facility.
[00164] A third deployment model could be to deploy the secured web application with PES functions into a client environment, and one or more trusted modules and the PEFM into one or more remote network nodes. The secured storage that can be accessed by PES functions via remote connection and access facility.
[00165] A fourth deployment model could be to combine the first three models to deploy the secured web application with PES functions into a client environment different sets of characteristics. For instance, in the client environment, there could be one or more trusted modules and some PEFM stored in local secured storage while one or more trusted modules are stored in remote servers or cloud environments, and some PEFM is stored in remote secured storage. In such an example, dynamic execution dependency can be coordinated by correlating different trusted modules locally and remotely. Execution of protected function may occur on-line or off-line, or a mix of both, which likely renders attacks even more difficult. [00166] A method is generally conceived to be a self-consistent sequence of steps leading to a desired result. These steps require physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It is convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, parameters, items, elements, objects, symbols, characters, terms, numbers, or the like. It should be noted, however, that all of these terms and similar terms are to be associated with the appropriate physical quantities and are merely convenient labels applied to these quantities. The description of the present invention has been presented for purposes of illustration but is not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art. The embodiments were chosen to explain the principles of the invention and its practical applications and to enable others of ordinary skill in the art to understand the invention in order to implement various embodiments with various modifications as might be suited to other contemplated uses.

Claims

Claims
What is claimed is:
A method for securing execution of a web application comprising:
on a processor of a client device, invoking a function of the web application; on the processor of the client device, invoking a Partial Execution Stub (PES) function during execution of the function of the web application; from the PES function, sending a message call with current execution information related to the web application, wherein the message call is sent to a trusted module; and receiving, by the PES function, a verification result from the trusted module related to the message call.
The method of claim 1 , further comprising establishing, by the partial execution stub, a communication connection with the trusted module, wherein the message call is sent via the communication connection and the verification result is received via the communication connection.
The method of claim 2, wherein the communication connection is a local socket connection, a remote socket connection or a websocket connection.
The method of claim 2 or claim 3, wherein the trusted module is executed on a server node or on the client device.
The method of any one of claims 1 to 4, further comprising:
from the PES function, sending a second message call with further current execution information related to the web application, wherein the second message call is sent to a second trusted module; and
receiving, by the PES function, a second verification result from the second trusted module related to the second message call, wherein the second trusted module provides at least one function not offered by the trusted module. The method of any one of claims 1 to 4, further comprising:
from the PES function, forwarding the message call with current execution information related to the web application to a second trusted module in response to the verification result; and receiving, by the PES function, a second verification result from the second trusted module related to the message call, wherein the second trusted module provides at least one function offered by the trusted module.
7. The method of any one of claims 1 to 6, wherein the verification result indicates tampering of the web application, the method further comprising taking a mitigation action by invoking a mitigation function, wherein the mitigation action is taken from the PES function or from the trusted module. 8. The method of any one of claims 1 to 6, wherein the verification result comprises a next function information to be invoked for the web application, the method further comprising invoking the next function.
9. A method executed in a network node for converting a web application to a secured web application comprising:
- reading, at the network node, code of the web application from a memory unit, the code comprising more than one function;
- determining, from a function call graph of the web application, that at least a call dependency from a first function to a second function of the more than one function needs to be protected;
- modifying the web application into the secured web application code by:
- adding, to the code of the web application, at least one Partial Execution Stub (PES) function comprising code to establish a communication connection with a trusted module, wherein the PES function requires interaction with the trusted module;
- modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function; and
- generating a set of rules from the function call dependency graph to define a call dependency from the PES function to the second function; and
- storing, at the network node, the secured web application into the memory unit; and
- storing, at the network node, the set of rules into the memory unit. 10. The method of claim 9, whereby the web application is statically converted to the secured web application prior to deploying the web application at the network node.
1 1. The method of claim 9 or claim 10, wherein the at least one PES function comprises a plurality of PES functions and wherein each of the plurality of PES functions is related to one of the at least one call dependency.
12. The method of any one of claims 9 to 1 1 , further comprising delivering the secured web application to one or more client devices.
13. The method of any one of claims 9 to 12, wherein generating a set of rules is performed by generating a symbolic Partial Execution Flow Map (PEFM) and wherein storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit.
14. The method of claim any one of claims 9 to 13, wherein generating the set of rules comprises taking security requirements related to security actions and mitigating actions into consideration.
15. The method of any one of claim 9 to 14, wherein the first function and the second function are present in the code of the web application as a single function processing an asset, the method further comprising, prior to reading the code from the memory unit, splitting the single function into the first and second functions based on the asset being processed in the single function.
16. The method of any one of claims 9 to 15, wherein the set of rules is a symbolic Partial Execution Flow Map (PEFM) and wherein the PEFM comprises a record comprising:
- a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function;
- a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry;
- a next function element identifying the second function and providing information necessary for invocation of the second function;
- an element of trusted functions identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module; and
- a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
17. The method of any one of claims 9 to 16, further comprising: - signing the secured web application prior to storing; and
- encrypting the set of rules prior to storing.
18. A trusted module for securing execution of a web application executing on a client device, the trusted module comprising:
a connection module for receiving a communication connection request from a Partial Execution Stub (PES) function of the web application; a function call module for receiving a message call from the PES function via the communication connection, the message call comprising current execution information related to the web application;
- a verification module for:
- determining, based on the current execution information, a next function to be executed for the web application; and
- sending a result of the determination to the PES function via the communication connection.
19. The trusted module of claim 18, whereby the web application is dynamically converted to a secured web application prior to deploying the web application at the client device.
20. The trusted module of claim 18 or claim 19 being executed on a server node remote from the client device executing the web application.
21. The trusted module of claim 18 or claim 19 being executed on the client device.
22. The trusted module of any one of claims 18 to 21, wherein the PES function is executed on the client device.
23. The trusted module of any one of claims 18 to 22, wherein the result of the determination indicates tampering of the web application.
24. The trusted module of any one of claims 18 to 23, wherein the result of the determination comprises a next function information to be invoked for the web application.
25. The trusted module of any one of claims 18 to 24, wherein the connection module further establishes a connection with a second trusted module in order to obtain the verification result.
26. The trusted module of claim 25, wherein the second trusted module provides at least one function offered by the trusted module. 27. The trusted module of claim 25 or claim 26, wherein the second trusted module provides at least one function not offered by the trusted module.
28. A client device comprising:
- a network interface module that:
- opens a communication connection between a Partial Execution Stub (PES) function and a trusted module;
- a processor executing a web application by:
- invoking a function of the web application;
- invoking the PES function during execution of the function of the web application;
- sending a message call from the PES function with current execution information related to the web application to the trusted module via the communication connection; and
- receiving a verification result from the trusted module related to the message call.
29. The client device of claim 28, wherein the trusted module is executed on a remote server node. 30. The client device of claim 28 or claim 29, wherein the verification result indicates tampering of the web application, the processor further executing a mitigation function.
31. The client device of claim 28 or claim 29, wherein the verification result comprises a next function information to be invoked for the web application, the processor further invoking the next function.
32. A network node for converting a web application to a secured web application comprising: - a memory unit for storing code of the web application, wherein the web application comprises more than one function;
- a processor for securing the web application by:
- determining, from a function call graph of the web application comprising at least a call dependency from a first function to a second function of the more than one function, that the call dependency from the first function to the second function needs to be protected;
- modifying the web application into the secured web application code by: - adding, to the code of the web application, a partial execution stub (PES) function comprising code to establish a communication connection with a trusted module, wherein the PES function requires interaction with the trusted module;
- modifying code of the web application by replacing invocation of the second function from the first function with invocation of the PES function from the first function; and
- generating a set of rules from the function call dependency graph to define a call dependency from the PES function to the second function; and
- storing the secured web application and the set of rules into the memory unit.
33. The network node of claim 32, wherein generating the set of rules further comprises generating a symbolic Partial Execution Flow Map (PEFM) and wherein storing the set of rules into the memory unit is performed by storing the symbolic PEFM into the memory unit.
34. The network node of claim 32 or claim 33, wherein generating the set of rules comprises taking security requirements related to security actions and mitigating actions into consideration. 35. The network node of claim 32 or claim 33, wherein the first function and the second function are present in the code of the web application as a single function, the processor further splitting the single function into the first and second functions based on an asset being processed in the single function.
36. The network node of claim 35, wherein splitting single function into the first function and the second function comprises introducing a new call dependency in the function call graph. 37. The network node of claim 33, wherein the symbolic PEFM comprises a record comprising: - a current caller element identifying the first function as a current calling function requiring an inquiry before invoking the second function;
- a current PES element identifying the PES function as invoking the trusted module to trigger the inquiry;
- a next function element identifying the second function and providing information necessary for invocation of the second function; - an element of trusted functions identifying a set of functions that are linked with the trusted module and can be executed by an invoking mechanism within the trusted module. - a security actions element identifying a set of security features that the trusted module is capable of executing prior to returning a result of the inquiry.
38. The network node of claims 32 to 37, wherein the processor further:
- signs the secured web application prior to storing; and
- encrypts the set of rules prior to storing.
PCT/CA2012/000297 2012-03-30 2012-03-30 Secured execution of a web application WO2013142947A1 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
CN201280073524.2A CN104321782B (en) 2012-03-30 2012-03-30 The safety execution of web applications
EP12873189.0A EP2831790B1 (en) 2012-03-30 2012-03-30 Secured execution of a web application
PCT/CA2012/000297 WO2013142947A1 (en) 2012-03-30 2012-03-30 Secured execution of a web application
US14/389,752 US9471776B2 (en) 2012-03-30 2012-03-30 Secured execution of a web application
US15/270,949 US9934375B2 (en) 2012-03-30 2016-09-20 Secured execution of a web application

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CA2012/000297 WO2013142947A1 (en) 2012-03-30 2012-03-30 Secured execution of a web application

Related Child Applications (2)

Application Number Title Priority Date Filing Date
US14/389,752 A-371-Of-International US9471776B2 (en) 2012-03-30 2012-03-30 Secured execution of a web application
US15/270,949 Division US9934375B2 (en) 2012-03-30 2016-09-20 Secured execution of a web application

Publications (1)

Publication Number Publication Date
WO2013142947A1 true WO2013142947A1 (en) 2013-10-03

Family

ID=49257985

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2012/000297 WO2013142947A1 (en) 2012-03-30 2012-03-30 Secured execution of a web application

Country Status (4)

Country Link
US (2) US9471776B2 (en)
EP (1) EP2831790B1 (en)
CN (1) CN104321782B (en)
WO (1) WO2013142947A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356293A1 (en) * 2014-06-06 2015-12-10 Empire Technology Development, Llc Secure application development and execution
WO2017102880A1 (en) * 2015-12-17 2017-06-22 Irdeto B.V. Securing webpages, webapps and applications

Families Citing this family (39)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11907496B2 (en) * 2013-02-08 2024-02-20 cloudRIA, Inc. Browser-based application management
JP6303730B2 (en) * 2014-03-31 2018-04-04 富士通株式会社 Information processing apparatus, information processing system, program, and processing method
US9678773B1 (en) 2014-09-30 2017-06-13 Amazon Technologies, Inc. Low latency computational capacity provisioning
US9600312B2 (en) 2014-09-30 2017-03-21 Amazon Technologies, Inc. Threading as a service
US9146764B1 (en) 2014-09-30 2015-09-29 Amazon Technologies, Inc. Processing event messages for user requests to execute program code
US10798108B2 (en) * 2014-11-14 2020-10-06 Marvell Asia Pte, Ltd. Apparatus and method for a multi-entity secure software transfer
US9537788B2 (en) 2014-12-05 2017-01-03 Amazon Technologies, Inc. Automatic determination of resource sizing
US9588790B1 (en) 2015-02-04 2017-03-07 Amazon Technologies, Inc. Stateful virtual compute system
US9733967B2 (en) 2015-02-04 2017-08-15 Amazon Technologies, Inc. Security protocols for low latency execution of program code
US10152590B2 (en) * 2016-01-04 2018-12-11 Oracle International Corporation Implementing a WebSocket server to circumvent access controls, by a web browser, on a web application
FR3048538B1 (en) * 2016-03-03 2018-11-09 Ingenico Group DATA EXECUTION AND PROCESSING METHOD, DEVICE AND CORRESPONDING COMPUTER PROGRAM
CN107203401B (en) * 2016-03-17 2020-11-06 创新先进技术有限公司 Front-end project construction method, device and system
US11132213B1 (en) 2016-03-30 2021-09-28 Amazon Technologies, Inc. Dependency-based process of pre-existing data sets at an on demand code execution environment
US10102040B2 (en) 2016-06-29 2018-10-16 Amazon Technologies, Inc Adjusting variable limit on concurrent code executions
CN107391973A (en) * 2017-07-17 2017-11-24 北京深思数盾科技股份有限公司 A kind of function guard method and device
US10528344B2 (en) * 2017-08-31 2020-01-07 Oracle International Corporation Modular points-to analysis
US10965683B1 (en) 2017-12-07 2021-03-30 Wells Fargo Bank, N.A. Login and authentication methods and systems
CN108108181B (en) * 2017-12-14 2022-03-01 深圳市雷鸟网络传媒有限公司 Function updating method and device of application program and computer readable storage medium
US10853115B2 (en) 2018-06-25 2020-12-01 Amazon Technologies, Inc. Execution of auxiliary functions in an on-demand network code execution system
US11146569B1 (en) * 2018-06-28 2021-10-12 Amazon Technologies, Inc. Escalation-resistant secure network services using request-scoped authentication information
US11099870B1 (en) 2018-07-25 2021-08-24 Amazon Technologies, Inc. Reducing execution times in an on-demand network code execution system using saved machine states
US11099917B2 (en) 2018-09-27 2021-08-24 Amazon Technologies, Inc. Efficient state maintenance for execution environments in an on-demand code execution system
US11243953B2 (en) 2018-09-27 2022-02-08 Amazon Technologies, Inc. Mapreduce implementation in an on-demand network code execution system and stream data processing system
US11943093B1 (en) 2018-11-20 2024-03-26 Amazon Technologies, Inc. Network connection recovery after virtual machine transition in an on-demand network code execution system
US11010188B1 (en) 2019-02-05 2021-05-18 Amazon Technologies, Inc. Simulated data object storage using on-demand computation of data objects
US11861386B1 (en) 2019-03-22 2024-01-02 Amazon Technologies, Inc. Application gateways in an on-demand network code execution system
US11119809B1 (en) 2019-06-20 2021-09-14 Amazon Technologies, Inc. Virtualization-based transaction handling in an on-demand network code execution system
US11190609B2 (en) 2019-06-28 2021-11-30 Amazon Technologies, Inc. Connection pooling for scalable network services
US11159528B2 (en) 2019-06-28 2021-10-26 Amazon Technologies, Inc. Authentication to network-services using hosted authentication information
US11119826B2 (en) 2019-11-27 2021-09-14 Amazon Technologies, Inc. Serverless call distribution to implement spillover while avoiding cold starts
US11714682B1 (en) 2020-03-03 2023-08-01 Amazon Technologies, Inc. Reclaiming computing resources in an on-demand code execution system
US11336680B2 (en) * 2020-03-05 2022-05-17 Oracle International Corporation Tailored security configuration of least-privilege applications
US11550713B1 (en) 2020-11-25 2023-01-10 Amazon Technologies, Inc. Garbage collection in distributed systems using life cycled storage roots
US11593270B1 (en) 2020-11-25 2023-02-28 Amazon Technologies, Inc. Fast distributed caching using erasure coded object parts
CN112929365B (en) * 2021-02-05 2023-05-16 深信服科技股份有限公司 Remote command detection method and device and electronic equipment
US11388210B1 (en) 2021-06-30 2022-07-12 Amazon Technologies, Inc. Streaming analytics using a serverless compute system
KR20240043140A (en) 2021-07-15 2024-04-02 레이 스트라티직 홀딩스, 인크. Non-flammable aerosol delivery system with atomizer-free consumables
US11968280B1 (en) 2021-11-24 2024-04-23 Amazon Technologies, Inc. Controlling ingestion of streaming data to serverless function executions
US12015603B2 (en) 2021-12-10 2024-06-18 Amazon Technologies, Inc. Multi-tenant mode for serverless code execution

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020052965A1 (en) * 2000-10-27 2002-05-02 Dowling Eric Morgan Negotiated wireless peripheral security systems
US20050044197A1 (en) * 2003-08-18 2005-02-24 Sun Microsystems.Inc. Structured methodology and design patterns for web services
US20090193497A1 (en) 2008-01-25 2009-07-30 Haruka Kikuchi Method and apparatus for constructing security policies for web content instrumentation against browser-based attacks
WO2011057393A1 (en) 2009-11-13 2011-05-19 Irdeto Canada Corporation System and method to protect java bytecode code against static and dynamic attacks within hostile execution environments

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004046708A (en) * 2002-07-15 2004-02-12 Sony Corp System, server, method and program for providing software, terminal, control program, and method and program for utilizing the software
US7281274B2 (en) * 2003-10-16 2007-10-09 Lmp Media Llc Electronic media distribution system
US8800042B2 (en) * 2005-05-16 2014-08-05 Hewlett-Packard Development Company, L.P. Secure web application development and execution environment
JP4048382B1 (en) * 2006-09-01 2008-02-20 富士ゼロックス株式会社 Information processing system and program
CN101179562B (en) * 2006-12-08 2010-07-21 腾讯科技(深圳)有限公司 Method and system for restraining use of network control in authorization website
CN101013461A (en) * 2007-02-14 2007-08-08 白杰 Method of computer protection based on program behavior analysis
US9405555B2 (en) * 2008-05-23 2016-08-02 Microsoft Technology Licensing, Llc Automated code splitting and pre-fetching for improving responsiveness of browser-based applications
EP2159732A1 (en) * 2008-08-21 2010-03-03 Thomson Licensing Method and device for code obfuscation
US8352967B2 (en) 2008-11-10 2013-01-08 Google Inc. Safe browser plugins using native code modules
CN103827880B (en) * 2011-03-31 2017-06-16 爱迪德技术有限公司 The method for protecting non-native code security

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020052965A1 (en) * 2000-10-27 2002-05-02 Dowling Eric Morgan Negotiated wireless peripheral security systems
US20050044197A1 (en) * 2003-08-18 2005-02-24 Sun Microsystems.Inc. Structured methodology and design patterns for web services
US20090193497A1 (en) 2008-01-25 2009-07-30 Haruka Kikuchi Method and apparatus for constructing security policies for web content instrumentation against browser-based attacks
WO2011057393A1 (en) 2009-11-13 2011-05-19 Irdeto Canada Corporation System and method to protect java bytecode code against static and dynamic attacks within hostile execution environments

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
YANG ET AL.: "CORBA: A Platform for Distributed Object Computing", OPERATING SYSTENZS REVIEW, vol. 30, no. 2, 1996, pages 4 - 31, XP055165296 *

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150356293A1 (en) * 2014-06-06 2015-12-10 Empire Technology Development, Llc Secure application development and execution
US10007790B2 (en) * 2014-06-06 2018-06-26 Empire Technology Development Llc Secure application development and execution
WO2017102880A1 (en) * 2015-12-17 2017-06-22 Irdeto B.V. Securing webpages, webapps and applications
US10867016B2 (en) 2015-12-17 2020-12-15 Irdeto B.V. Securing webpages, webapps and applications
US11675880B2 (en) 2015-12-17 2023-06-13 Irdeto B.V. Securing webpages, webapps and applications

Also Published As

Publication number Publication date
EP2831790A1 (en) 2015-02-04
US20150161384A1 (en) 2015-06-11
US9471776B2 (en) 2016-10-18
EP2831790B1 (en) 2020-09-23
US20170011216A1 (en) 2017-01-12
US9934375B2 (en) 2018-04-03
EP2831790A4 (en) 2016-05-11
CN104321782B (en) 2018-01-12
CN104321782A (en) 2015-01-28

Similar Documents

Publication Publication Date Title
US9934375B2 (en) Secured execution of a web application
US11921905B2 (en) Secure collaboration between processors and processing accelerators in enclaves
US9213826B2 (en) System and method to protect Java bytecode code against static and dynamic attacks within hostile execution environments
US7181603B2 (en) Method of secure function loading
US9460281B2 (en) Method of securing non-native code
US9141787B2 (en) Interlocked binary protection using whitebox cryptography
US11263311B2 (en) Securing virtual-machine software applications
WO2015150391A1 (en) Software protection
CN104680039A (en) Data protection method and device of application installation package
US20080071884A1 (en) Protecting client-side code
CN106648770B (en) Generation method, loading method and device of application program installation package
CN113420313A (en) Program safe operation and encryption method and device, equipment and medium thereof
CN112187734A (en) IPSec component architecture and VPN tunnel establishment method
Bishop Improvements of User's Security and Privacy in a Web Browser
US20170054693A1 (en) Integrity verification system using remote code execution and method thereof
Haoliang et al. The Design and Implementation on the Android Application Protection System
US20150081760A1 (en) Method and device for providing access to a task
Zhu et al. Mobile code security on destination platform
JP2023542574A (en) Model protection methods, devices, devices, systems, storage media and programs
KR20130093804A (en) Apparatus and method for secure and consistent runtime based confidential execution of application services
van Dongen Browser security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12873189

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2012873189

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 14389752

Country of ref document: US