Method and apparatus for secure execution of untrusted software
Process for securing and for checking the integrity of the secured programs
Method and apparatus for assessing integrity of computer system software
Apparatus and method for certifying the delivery of information
Method for signature of an information processing file, and apparatus for implementing it
Efficient security kernel for the 80960 extended architecture
Method and system for generating and auditing a signature for a computer program Patent #: 5559884
ApplicationNo. 569398 filed on 12/08/1995
US Classes:713/167, Object protection713/187, COMPUTER PROGRAM MODIFICATION DETECTION BY CRYPTOGRAPHY717/126, Program verification717/166Using class loader
ExaminersPrimary: Barron, Gilberto Jr.
Attorney, Agent or Firm
International ClassG06F 009/44
AbstractA computer system includes a program executer that executes verifiable architecture neutral programs and a class loader that prohibits the loading and execution of non-verifiable programs unless (A) the non-verifiable program resides in a trusted repository of such programs, or (B) the non-verifiable program is indirectly verifiable by way of a digital signature on the non-verifiable program that proves the program was produced by a trusted source. In the preferred embodiment, verifiable architecture neutral programs are Java bytecode programs whose integrity is verified using a Java bytecode program verifier. The non-verifiable programs are generally architecture specific compiled programs generated with the assistance of a compiler. Each architecture specific program typically includes two signatures, including one by the compiling party and one by the compiler. Each digital signature includes a signing party identifier and an encrypted message. The encrypted message includes a message generated by a predefined procedure, and is encrypted using a private encryption key associated with the signing party. A digital signature verifier used by the class loader includes logic for processing each digital signature by obtaining a public key associated with the signing party, decrypting the encrypted message of the digital signature with that public key so as generate a decrypted message, generating a test message by executing the predefined procedure on the architecture specific program associated with the digital signature, comparing the test message with the decrypted message, and issuing a failure signal if the decrypted message digest and test message digest do not match.