公开(公告)号：GB2487862B

公开(公告)日：2016-09-21

申请号：GB201206958

申请日：2010-09-14

Applicant: IBM

Inventor： PAOLINA CENTONZE ,  YINNON AVRAHAM HAVIV ,  ROEE HAY ,  MARCO PISTOIA ,  ADI SHARABANI ,  OMER TRIPP

IPC: G06F21/62

Abstract: Access-control and information-flow integrity policies are enforced in a computing system by detecting security-sensitive sinks in software code for an application running on the computing system and retrieving an access-control policy from a database accessible to the computing system. The access-control policy maps a set of access permissions within the computing system to each one of a plurality of principals. For each detected security-sensitive sink, all principals that influence that security-sensitive sink are detected and an overall access permission is assigned to each security-sensitive sink by taking the intersection of the access permission sets for all influencing principals of that security-sensitive sink. If this permission set is inadequate, an integrity violation is reported. In addition, permission labels are assigned to each value of variables used in the security-sensitive sinks. Each permission label is a set of permissions.