CN117730322A - Generation of security policies for software programs - Google Patents

Abstract

A system for generating security policies for a software program, wherein the system comprises a processing unit for performing a series of policy building iterations. In each iteration of the series of policy building iterations, the processing unit is to: generating monitoring data describing multiple accesses by the software program to multiple computer resources of the system by monitoring execution of the software program when the system is used to execute a security policy that prevents access by the software program to multiple blocked computer resources; identifying a blocked access to one of the plurality of blocked resources among the multiple accesses; calculating a modified security policy to open access to the blocked resource; the configuration of the system is instructed to execute the modified security policy as the identified security policy in a next iteration of the series of policy building iterations.

Description

Generation of security policies for software programs

Background technique

Some embodiments described in this disclosure relate to controlling access to computer resources, and more specifically, but not exclusively, to the generation of security policies for software programs.

For the sake of brevity, in the following, the term "system" is used to refer to a "computerized system" unless explicitly stated otherwise, and the two terms are used interchangeably.

In a system on which a software program executes, the software program may require access to one or more computer resources in order to function correctly. Computer resources can be memory areas or files. Another example of a computer resource is a digital communications network resource, such as an identified port number, or a software network endpoint such as a network socket. Some other examples of computer resources include, but are not limited to, services provided by the operating system, inter-process communication access points, and devices coupled to a hardware processor that executes at least a portion of a software program.

In the following, the term "resource" is used to refer to "computer resource" and the two terms are used interchangeably.

The need to protect systems from malicious attacks is growing day by day. To this end, some systems regulate access to one or more computer resources of the system when accessed by one or more programs executing on the system. A set of rules and practices that govern access to a system's computer resources is also called a security policy.

Various types of security policies exist. In one example, a security policy blocks, by default, all software programs from accessing all computer resources of the system unless access to one or more resources by one or more software programs is explicitly turned on. In contrast, in another example, a security policy enables all software programs to access all resources of the system unless one or more software programs are explicitly blocked from access to one or more computer resources. In some security policies, some resources of the system are blocked by default, and some other resources of the system are unblocked by default. Access to one or more computer resources is explicitly enabled or access to one or more computer resources is explicitly blocked. access.

In order for the system executing the software program to operate correctly, the system needs to be configured to enforce security policies so that the software program can access all computer resources required for the software program to run. However, in order to reduce the possibility of a software program causing damage to the system (for example, due to malicious code injected into the software program), it is desirable for the system to implement security policies that additionally prevent software programs from accessing computer resources that are not required for the software program to run.

Contents of the invention

The present disclosure includes a description of systems and methods according to the present disclosure that enable the generation of security policies for software programs using a series of policy construction iterations.

In some implementations of such systems, the system's execution of a software program to one or more of a plurality of computer resources of the system is monitored to identify one or more blocked accesses. Access to a blocked resource is blocked by the system enforcing the identified security policy. In this implementation, when blocked access is identified, a modified security policy is computed to enable access to the one or more blocked resources. In this implementation, these steps are repeated in each iteration of a series of policy building iterations, where the modified security policy of one iteration is used as the identified security of the next iteration of multiple policy building iterations. Strategy.

The above and other objects are achieved by the features of the independent claims. Other implementations are apparent from the dependent claims, the description and the drawing.

According to a first aspect, there is provided a system for generating a security policy for a software program, said system comprising a processing unit for, in each iteration of a series of policy construction iterations: monitoring said system Execution of a software program, wherein the system is configured to enforce an identified security policy that prevents the software program from accessing a plurality of blocked computer resources, generating a description of the software program's access to a plurality of computer resources of the system monitoring data of multiple accesses; identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among the multiple accesses; calculating a modified security policy to enabling said software program's access to said at least one blocked computer resource; instructing said system to be configured to include said modified security policy as said identified in a next iteration in a series of policy construction iterations Security policy enforcement. Modify the identified security policy to enable the software program to access one or more blocked accesses based on one or more blocked accesses identified by the system used to enforce the identified security policy while executing the software program. Access to computer resources, thereby increasing the accuracy of said modified security policy, reducing the number of unblocked resources required by said software program, additionally or alternatively reducing the number of blocked resources required by said software program The amount of resources.

According to a second aspect, there is provided a method for generating a security policy for a software program, the method comprising, in each iteration of a series of policy construction iterations: monitoring execution of the software program by a system, wherein the system uses for executing the identified security policy, thereby preventing the software program from accessing a plurality of blocked computer resources, generating monitoring data describing multiple accesses of the software program to a plurality of computer resources of the system; in said Identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among multiple accesses; calculating a modified security policy to enable the software program to access the at least one blocked computer resource. Blocking access to computer resources; instructing the configuration of the system to execute the modified security policy as the identified security policy in a next iteration in a series of policy construction iterations.

According to a third aspect, a software program product for generating a security policy for a software program is provided. The software program product includes: a non-transitory computer-readable storage medium; a first program instruction for monitoring the system's response to the software program. Execution, wherein the system is configured to implement the identified security policy, thereby preventing the software program from accessing a plurality of blocked computer resources, generating multiple times describing the software program's access to a plurality of computer resources of the system. Monitoring data of accesses; second program instructions for identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among the plurality of accesses; third Program instructions for calculating a modified security policy to enable the software program to access the at least one blocked computer resource; fourth program instructions for instructing the configuration of the system to build iterations in a series of policies The modified security policy is executed as the identified security policy in the next iteration. The first, second, third and fourth program instructions are executed by at least one computerized processor from the non-transitory computer-readable storage medium.

In a possible implementation of the apparatus according to the first aspect or the method according to the second aspect, at least one computer resource among the plurality of blocked computer resources is selected from the computer resource list. Optionally, the computer resources include at least one of the following: memory areas, files, devices connected to the processing unit, inter-process communication access points, digital communication network resources, and operating systems executed by the processing unit service provided. Optionally, selected from the group consisting of areas of memory, files, devices connected to the processing unit, inter-process communication access points, digital communication network resources and services provided by the operating system executed by the processing unit. At least one computer resource among the plurality of blocked computer resources. Optionally, in a first policy building iteration in the series of policy building iterations, the plurality of blocked computer resources are the plurality of computer resources of the system. Blocking access to the plurality of computer resources of the system in the first policy construction iteration increases the accuracy of preferred security policies and reduces the number of unblocked resources that are not required by the software program.

In a possible implementation of the device according to the first aspect or the method according to the second aspect, the processing unit is further configured to: determine that the identified security policy fails to identify the at least one A preferred security policy for blocked access; providing said preferred security policy to at least one user of said system. Determining that the identified security policy is the preferred security policy that failed to identify the at least one blocked access increases the accuracy of the preferred security policy and reduces the number of unblocked resources that are not required by the software program . Optionally, providing the preferred security policy includes at least one of the following: storing the preferred security policy in a non-volatile digital memory connected to the processing unit; in a log file, a log of the system adding a log entry to one or more of the processing units; sending a message to at least one other processing unit through a digital communication network interface connected to the processing unit; displaying the message on a display device connected to the processing unit.

In a possible implementation of the device according to the first aspect or the method according to the second aspect, monitoring the execution of the software program includes monitoring logs of the system, executing commands, and capturing digital communication network traffic. at least one of them.

In a possible implementation of the device according to the first aspect or the method according to the second aspect, the identified security policy includes a plurality of access entries. Optionally, calculating the modified security policy includes: calculating at least one new access entry to enable the software program to access the at least one blocked computer resource; adding the at least one new access entry to the identified in the security policy. Optionally, calculating the modified security policy includes modifying at least one access entry among the plurality of access entries so that the software program can access the at least one blocked computer resource. Optionally, calculating the modified security policy includes deleting at least one of the plurality of access entries from the identified security policy. Optionally, identifying the at least one blocked access includes: extracting a plurality of access violation entries from the monitoring data; identifying at least one of the plurality of access violation entries indicating the at least one blocked access. Access violation entry. Optionally, calculating the modified security policy includes: extracting at least one access value from the at least one access violation entry; and using the at least one access value to calculate the modified security policy. Using at least one access value extracted from the monitoring data can improve the accuracy of the modified security policy.

In a possible implementation of the device according to the first aspect or the method according to the second aspect, execution of the software program includes providing a set of identified input values to the software program. Optionally, the execution of the software program includes executing the software program in a software testing environment. Optionally, the processing unit is further configured to: identify at least one unexpected result of executing the software program in the monitoring data; fail to identify the at least one blocked access, or fail to identify the at least one blocked access; Notification of the at least one unexpected result is provided to other users of the system in association between a blocked access and the at least one unexpected result. Providing the software program with an identified set of input values, and additionally or alternatively executing the software program in a software test environment, such that one or more unexpected results can be identified when executing the software program and the one Notifying the software developer of said software program of one or more unexpected results helps improve the accuracy of said software program.

Other systems, methods, features and advantages of the present invention will be or become apparent to those skilled in the art upon study of the following drawings and detailed description. It is intended that all such other systems, methods, features and advantages be included within this description, be within the scope of the invention, and be protected by the appended claims.

Unless otherwise defined, all technical and/or scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which the embodiments belong. Although methods and materials similar or equivalent to those described herein can be used in the practice or testing of the embodiments, exemplary methods and/or materials are described below. In case of conflict, the patent specification, including definitions, will control. In addition, the materials, methods, and examples are illustrative only and not necessarily limiting.

Description of the drawings

The present invention will now be described by way of example with reference to the accompanying drawings. In the attached picture:

Figure 1 is a flow chart schematically representing an optional operational flow;

Figure 2 is a schematic block diagram of an exemplary system;

Figure 3 is a flowchart schematically representing an optional operational flow for generating a security policy;

Figure 4 is a flowchart schematically representing an optional operational flow for identifying blocked access;

Figure 5 is a flowchart schematically representing an additional optional operational flow for generating a security policy.

Detailed ways

In the following description, reference is made to the accompanying drawings, which form a part hereof, and which illustrate, by way of illustration, specific aspects of embodiments of the invention or in which embodiments of the invention may be used. It is to be understood that embodiments of the invention are capable of other aspects and involve structural or logical changes not depicted in the drawings. Accordingly, the following detailed description is not to be taken in a limiting sense, and the scope of the invention is defined by the appended claims.

For example, it should be understood that disclosure related to describing a method may also apply to a corresponding device or system for performing the method, and vice versa. For example, if one or more specific method steps are described, the corresponding device may include one or more units (e.g., functional units) to perform the described one or more method steps (e.g., one unit performs one or more steps , or multiple units respectively perform one or more of the multiple steps), even if the one or more units are not explicitly described or shown in the drawings. On the other hand, for example, if a specific device is described based on one or more units (e.g., functional units), the corresponding method may include one step to perform the functions of the one or more units (e.g., one step to perform one or more functions of one or more units, or multiple steps perform the functions of one or more units among multiple units respectively), even if the one or more units are not explicitly described or shown in the drawings. Furthermore, it should be understood that features of the various exemplary embodiments and/or aspects described herein may be combined with each other unless expressly stated otherwise.

As mentioned above, the system needs to be configured to enforce security policies such that software programs executed by the system have access to all computer resources required for the software programs to run, while software programs are blocked from access to other computer resources.

In software development, it is recommended that security design be integrated into the development process of software programs, but in practice this is often not done. In the software development process, if there is no process of automatically generating security policies, security experts usually manually specify security policies for software programs after development is completed. Even in collaboration with software developers, such manually specified security policies are prone to errors and are often too lenient, allowing software programs to access more computer resources than the software programs actually need to function correctly. This laxity is often caused by the difficulty of fine-grained identification of the computer resources required by a software program. For example, a software program needs to access an identified number of ports on a digital communications network. If the number of ports is small, a manually generated security policy can ensure accuracy and include explicit permissions for software programs to access each port. However, these ports may change over time during the development of the software program, when the number of ports exceeds a certain threshold, as manually generated security policies can still include permissions that enable the software program to access a range of ports, but some of them Not required for the operation of the software program and therefore increases security risks in systems used to enforce manually generated security policies. This is an example of an inaccurate security policy.

There are ways to reduce security risks in software containers, such as in Linux containers, but such methods apply to containers, not to software programs executed as native programs by processing circuits. Furthermore, these methods do not prevent a software program executing within a container; under these methods, a software program executing within a container is able to access any computer resources within the boundaries of the container in which it is located. This accesses a wider range of computer resources than are required for the software program to function correctly, creating a potential security risk.

There is a need to improve the accuracy of security policies for software programs, thereby reducing the amount of unblocked computer resources that are not used by software programs, while also reducing the amount of blocked computer resources that are required for software programs to function correctly.

In order to improve the accuracy of security policies for software programs, some embodiments described in this application propose an iterative method for automatically generating security policies. In these embodiments, the system is configured to enforce identified security policies that block a software program's access to a plurality of blocked computer resources, and the system's execution of the software program is monitored to generate a description of the software program's access to a plurality of computer resources of the system. of data accessed multiple times. The monitoring system's execution of software programs includes monitoring system logs, etc., such as monitoring the Security-Enhanced Linux (SELinux) audit logs of virtual machines executing the Linux operating system. Optionally, execution of the monitoring software program includes executing commands, for example, executing commands for collecting system information. In some embodiments, the present disclosure proposes identifying, among multiple accesses, at least one blocked access by a software program to one or more of a plurality of blocked resources, and calculating a modified security policy to enable the software program to access Access to one or more resources is blocked. Computing the modified security policy optionally includes modifying the identified security policy to enable the software program to access the one or more blocked resources. Execution of a software program in a system for enforcing security policies to prevent a software program from accessing multiple blocked computer resources, which can identify one or more blocked computer resources required by the software program while the software program has access to multiple blocked computer resources. Access to other blocked computer resources within the blocked computer resources remains blocked. Compute a modified security policy to enable a software program to access one or more blocked computer resources, which enables access to one or more blocked resources in addition to the software program's access to it, while still preventing the software program from accessing other blocked resources. Block access to computer resources. Modifying a security policy to prevent a software program from accessing other blocked computer resources while allowing the software program to access one or more blocked resources that the software program accesses can improve the accuracy of the modified security policy and thereby improve Improve the security of the system that implements the modified security policy.

Furthermore, in some embodiments, the present disclosure proposes to iteratively repeat the above steps such that in each iteration in a series of policy building iterations, the system is configured to perform as identified in the next iteration in the series of policy building iterations. Security policy Modification of the security policy. Configuring the system to implement security policies as modifications to the identified security policies in the next iteration facilitates the incremental generation of security policies for software programs as access to one or more blocked resources is allowed in the next iteration, Therefore access to one or more blocked resources will not be recognized as blocked access. This incremental generation of security policies improves the accuracy of security policies because it is better than manually inspecting code or relying on communication between software developers and security experts to identify blocked resources required by software programs. Enables fine-grained identification of blocked resources that software programs need to access. Fine-grained identification of blocked resources that software programs need to access improves the accuracy of modified security policies, thereby increasing the number of blocked resources that software programs need to access and unblock in modified security policies while reducing The number of other blocked resources that the software program did not attempt to access and unblock in the modified security policy.

Optionally, in a first iteration of a series of policy construction iterations, the plurality of blocked resources are a plurality of computer resources of the system, such that the identified security policy blocks access to a plurality of computer resources of the system. Starting with a security policy that blocks access to multiple computer resources of the system improves the accuracy of the modified security policy because it reduces the likelihood that the modified security policy will enable software programs to access unwanted blocked resources. .

Optionally, when no blocked access is identified in the multiple accesses of the iteration, the identified security policy used in the iteration is determined as the preferred security policy, and this security policy can be provided to one or more users of the system, For example, a security expert for a system or a software developer for a software program. In order to provide preferred security policies to one or more users, the preferred security policies may be stored in the system's non-volatile digital memory. Additionally, or alternatively, providing the preferred security policy includes adding a log entry, such as to a log of the system or to a log file. Other optional methods of providing preferred security policies include sending messages over a digital communications network and displaying messages on the system's display device. Some examples of messages include electronic-mail (email) messages and messages sent through instant messaging services such as Slack and Signal. Preferred security policies can be added to the software product of the software program.

Additionally, in some embodiments, the present disclosure provides identifying one or more unexpected results of executing a software program in monitoring data. Such unexpected results are not related to multiple accesses, i.e. the unexpected results cannot be explained by blocked access to a blocked resource or by no blocked access. Such unexpected results indicate that an error (colloquially known as a bug) has occurred in the way the software program is implemented. Optionally, in these embodiments, notification of one or more unexpected results is provided to another user of the system, such as a quality assurance professional.

Before at least one embodiment is described in detail, it is to be understood that the embodiments are not necessarily limited in their application to the details of construction and arrangement of the components and/or methods set forth in the following description and/or drawings and/or examples. The implementations described herein enable other embodiments or may be practiced or carried out in various ways.

An embodiment may be a system, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions that cause a processor to perform aspects of the present embodiments.

A computer-readable storage medium may be a tangible device capable of retaining and storing instructions for use by an instruction execution device. The computer-readable storage medium may be, for example, but is not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of computer-readable storage media includes the following: portable computer floppy disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable Except erasable programmable read-only memory (EPROM or flash memory), static random access memory (static random access memory, SRAM), portable compact disc read-only memory (compact disc read-only memory, CD-ROM) , digital versatile disk (digital versatile disk, DVD), memory stick, floppy disk and any suitable combination of the above. Computer-readable storage media as used herein should not be construed as a reference to transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., light pulses through fiber optic cables), or through Electrical signals sent by wires.

The computer-readable program instructions described herein can be downloaded from a computer-readable storage medium to a corresponding computing/processing device, or to an external computer or external storage device through a network such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, optical fiber transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium within the corresponding computing/processing device.

Computer-readable program instructions for performing operations of embodiments may be assembler instructions, instruction-set-architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source code or object code, natively compiled or just-in-time (JIT) compiled, written in any combination of one or more programming languages, including object-oriented programming languages such as Smalltalk, C++, Java, Object-based Fortran, etc., interpreted programming languages such as JavaScript, Python, etc., and traditional procedural programming languages such as the "C" programming language, Fortran or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer and partly on the user's computer; as a stand-alone software package, partly on the user's computer and partly on a remote computer, or entirely on the remote computer or server implement. In the latter scenario, the remote computer can be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or (for example, by using an Internet service provider's Internet) to connect to an external computer. In some embodiments, electronic circuits including programmable logic circuits, field-programmable gate arrays (FPGAs), programmable logic arrays (PLAs), etc. can be configured using computer-readable program instructions. The state information is used to execute computer readable program instructions to customize the electronic circuit to perform various aspects of the embodiments.

Various aspects of the embodiments are described herein in conjunction with flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products provided by the embodiments. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that execution via the instructions of the processor of the computer or other programmable data processing apparatus creates the flowchart for implementing and/or blocks of functions/actions specified in the block diagram. These computer-readable program instructions may also be stored in a computer-readable storage medium, which may instruct the computer, programmable data processing apparatus, and/or other equipment to operate in a particular manner, such that the computer-readable storage medium storing the instructions The media includes artifacts containing instructions for implementing various aspects of the functions/acts specified in the flowcharts and/or block diagrams.

Computer-readable program instructions can also be loaded onto a computer, other programmable data processing device, or other equipment, so that a series of operating steps are performed on the computer, other programmable device, or other equipment, thereby generating a computer-implemented process, such that on the computer, other programmable data processing device, or other equipment Instructions executing on other programmable devices or other equipment implement the functions/acts specified in the flowcharts and/or block diagrams.

The flowcharts and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products provided in accordance with various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which includes one or more executable instructions for implementing the specified logical function or functions. In some alternative implementations, the functions noted in the blocks may be implemented out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed nearly concurrently or sometimes in the reverse order, depending upon the functionality involved. It should also be noted that each block in the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or actions, or that perform special purpose hardware and a combination of computer instructions.

Reference is now made to Figure 1, which is a flow diagram schematically illustrating an optional operational flow 100 in accordance with some embodiments. In these embodiments, at 101, the system is configured to enforce the identified security policy to manage access to a plurality of computer resources of the system. Optionally, the identified security policy enables the software program to access a plurality of blocked resources among a plurality of computer resources of the system. Optionally, the identified security policy prevents the software program from accessing a plurality of blocked resources of a plurality of computer resources of the system. When the system executes the software program, at 102, the software program accesses some of the system's plurality of computer resources. For example, at 103, the software program may access one or more of a plurality of unblocked resources that are allowed access (ie, unblocked). Optionally, at 104, the software program is blocked from accessing one or more of the blocked resources.

Optionally, the system's execution of the software program is monitored to generate, in 111, monitoring data describing multiple accesses of the software program to a plurality of computer resources (eg, accesses in 102, 103, and 104). At 112, one or more accesses 104 are identified, ie, one or more blocked accesses to one or more blocked resources. Optionally, at 113, at least some of the one or more blocked resources are added to the plurality of unblocked resources, and at 114, a value that allows the software program to access the one or more blocked resources is calculated. Modified security policy. Optionally, the modified security policy is the most restrictive security policy, allowing the software program to access multiple unblocked resources including one or more blocked resources added thereto. Optionally, method 100 is performed in each iteration of a series of policy building iterations. Therefore, in 115, the modified security policy is used as the identified security policy such that when 101 is executed in the next iteration in the series of iterations, the system is used to execute the modified security policy.

Reference is now made to Figure 2, which is a schematic block diagram of an exemplary system 200 in accordance with some embodiments. In these embodiments, system 200 includes processing unit 201 . Processing unit 201 may be any type of programmable or non-programmable circuitry for performing the operations described in this disclosure. The processing unit may include hardware and software. For example, the processing unit may include one or more processors and a transient or non-transitory memory including a program that causes the processing unit to perform corresponding operations when the program is executed by the one or more processors. Optionally, the processing unit 201 includes a memory 206. Optionally, the processing unit 201 is connected to the memory 206 . Optionally, the memory 206 is a memory carrying programs executed by the processing unit 201 . Optionally, memory 206 is memory remote from processing unit 201 and connected to another processing unit.

Optionally, the processing unit 201 is connected to one or more non-volatile digital memories 203 . Some examples of non-volatile digital storage include hard drives, solid state drives, network attached storage, and network storage. Optionally, the processing unit 201 is connected to one or more digital communication network interfaces 202. For the sake of brevity, in the following the term "network interface" is used to mean "one or more digital communications network interfaces". Optionally, the network interface 202 is connected to a local area network (LAN), such as an Ethernet network or a Wi-Fi network. Optionally, the network interface 202 is connected to a wide area network (WAN), such as a cellular network or the Internet. Optionally, digital memory 203 is connected to processing unit 201 via network interface 202.

Optionally, the processing unit 201 is connected to one or more display devices 204, such as a monitor or flat panel display. Optionally, the processing unit 201 is connected to one or more devices 205. Optionally, one or more devices 205 include one or more display devices 204 . Optionally, one or more devices 205 include a network interface 202. Optionally, one or more devices 205 include one or more digital memories 203 . Some other examples of devices are cameras, microphones, speakers, touch screens, and sensors.

To generate a security policy for a software program, in some embodiments, system 200 performs the following optional methods.

Reference is now made to FIG. 3, which is a flow diagram schematically illustrating an optional operational flow 300 for generating a security policy for a software program in accordance with some embodiments. In these embodiments, processing unit 201 performs a series of policy construction iterations. Optionally, in each of the series of policy construction iterations, at 301, the processing unit 201 configures the system 200 to execute the identified security policy to prevent the software program from accessing a plurality of blocked computer resources. Optionally, the plurality of blocked computer resources are at least some of the plurality of computer resources of the system. A computer resource may be an area of memory 206, optionally identified by an address or address range. Alternatively, the computer resource is a file, such as a file stored on digital storage 203. Optionally, the computer resource is a memory in one or more devices 205. Optionally, the device is identified by a handle (such as a file descriptor or identifier). Optionally, the device is a network interface 202. Optionally, the device is one or more digital memories 203. Another example of a computer resource is a digital communications network resource, such as a port number, the network address of another processing unit, or a network socket. Some other examples of computer resources include, but are not limited to, inter-process communication access points executed by processing unit 201 and services provided by the operating system executed by processing unit 201 . The service may be a service that requires privileges, such as a service that creates or deletes a process executed by the processing unit 201 .

Optionally, the identified security policy includes a plurality of access entries, such as a plurality of access rules, each access rule blocking access to at least some of the plurality of resources of the system or enabling access to at least some of the plurality of resources of the system. Access to resources. Another example of an access entry is an iptables chain. Optionally, in a first iteration of a series of policy construction iterations, the plurality of blocked computer resources are a plurality of computer resources of the system. For example, when configuring the system includes executing iptables, in the first iteration, the processing unit 201 may execute the command "iptables-drop-all". When configuring the system includes enforcing a policy based on one or more allow rules, where each allow rule explicitly allows access to one or more computer resources (such as SELinux), the policy can be an empty policy with no access in the first iteration Entries or access rules. Optionally, in 310, the processing unit 201 also executes a software program. Optionally, the software program is executed in one or more known scenarios, such that executing the software program includes providing the identified set of input values to the software program. The set of identified input values optionally includes one or more of configuration values, user input values, provided files, messages sent to the software program, and graphical user interface interactions. Optionally, the execution of the software program includes executing the software program in a software testing environment, such as in an integrated development environment (IDE) or in a test platform.

Optionally, in 320, the processing unit 201 monitors the execution of the software program by the system 200 through the processing unit 201 to generate monitoring data describing multiple accesses of the software program to multiple computer resources of the system. Optionally, in 320, the processing unit 201 monitors logs of the system 200, such as SELinux audit logs. When system 200 implements SELinux, processing unit 201 may configure SELinux to log violations to an identified violation log file monitored by processing unit 201 at 320. Optionally, in 320, the processing unit 201 executes a command, such as a command to collect system data. For example, when the processing unit 201 executes the Linux operating system, in 320, the processing unit 201 may execute the command dmesg. In another example, when execution 301 includes executing the command "iptables", the processing unit 201 may create a new iptables chain that records and discards all traffic, and configure iptables to remove all traffic that does not match other flows configured in iptables. Network traffic is forwarded to the new iptables chain. Optionally, new iptables chains are logged to the identified network logs. This configuration helps identify all network traffic that is not explicitly addressed by iptables and blocks network traffic that is not explicitly addressed by iptables by dropping it.

At 330, processing unit 201 identifies one or more blocked accesses by the software program to one or more of the plurality of blocked resources, optionally among multiple accesses.

Referring now to FIG. 4 , a flow diagram schematically representing an optional operational flow 400 for identifying blocked access is shown, in accordance with some embodiments. In these embodiments, in 401, the processing unit 201 extracts a plurality of access violation entries from the monitoring data. For example, when system 200 implements SELinux, processing unit 201 may provide identified violation log files to the audit2allow utility. Optionally, execute the audit2allow utility in response to identified violation log files whose output is a SELinux policy rule. Optionally, the access violation entry is a SELinux policy rule generated by executing audit2allow. In another example, when system 200 executes iptables, in 401 processing unit 201 optionally analyzes network logs to identify one or more security violations. Optionally, in 402, processing unit 201 identifies one or more access violation entries among the plurality of access violations that indicate one or more blocked accesses.

Referring now to FIG. 3 , at 340 , processing unit 201 optionally determines at 330 whether one or more blocked accesses were identified. When one or more blocked accesses are identified, in 341 the processing unit 201 optionally calculates a modified security policy.

Referring now to FIG. 4 , optionally, in 410 , the processing unit 201 extracts one or more access values from the one or more violating entries identified in 402 . Some examples of access values include port numbers, network addresses, file names, and file descriptor names. In 412, processing unit 201 optionally calculates a modified security policy using one or more access values. For example, processing unit 201 may use one or more access values to identify one or more blocking rules in the identified security policy that prevent the software program from accessing one or more blocked resources. Optionally, the processing unit 201 deletes one or more of the plurality of access entries from the identified security policy when calculating the modified security policy, such as blocking access to one or more blocked resources. entry. Optionally, the processing unit 201 identifies one or more access entries according to one or more access values. In another example, the processing unit 201, when calculating the modified security policy, may modify one or more of the plurality of access entries that block access to one or more blocked resources.

Optionally, when calculating the modified security policy, the processing unit 201 calculates one or more new access entries to allow the software program to access one or more blocked resources. Optionally, the processing unit 201 uses one or more access values to calculate one or more new access entries. For example, when system 200 implements SELinux, the one or more new access entries may be one or more new SELinux rules, such as the one or more rules generated by audit2allow. Optionally, the one or more new access entries are one or more rows in a table, such as in iptables. Optionally, the new access entry is a blacklist entry, blocking access to one or more computer resources. Optionally, the new access entry is a whitelist entry that allows access to one or more computer resources. Optionally, the one or more new access entries include a combination of whitelist entries and blacklist entries to allow the software program to access one or more blocked resources. For example, when the identified security policy includes a blacklist rule that blocks access to a memory address range, and one or more of the blocked resources includes the identified memory address in the memory address range, the processing unit 201 may modify the blacklist rule to block access. An address in a range of memory addresses that is less than the recognized memory address. Additionally, the processing unit 201 may add new rules to block access to addresses in a memory address range that is larger than the recognized memory address. Alternatively, in this example, the processing unit 201 may delete the blacklist rule and add two new rules, one that blocks access to addresses in a memory address range that is smaller than the identified memory address range, and another that blocks access to addresses that are larger than the identified memory address range. Access to an address within a memory address range.

Optionally, the processing unit 201 adds one or more new access entries to the identified security policy.

Referring now to FIG. 3 , at 344 , the processing unit 201 optionally instructs the configuration of the system 200 to execute the modified security policy as a modification of the identified security policy in the next iteration in a series of policy construction iterations.

Optionally, at 340, processing unit 201 determines that one or more blocked accesses at 330 failed to be identified. Referring now to Figure 5, a flow diagram schematically representing an additional optional operational flow 500 for generating a security policy is shown, in accordance with some embodiments. In these embodiments, since a failure to identify in one or more blocked accesses occurs, in 501 the processing unit 201 determines that the identified security policy is the preferred security policy. Optionally, the iteration in which the processing unit 201 determines the preferred security policy is the last iteration in a series of policy construction iterations. Optionally, in 502, the processing unit 201 provides the preferred security policy to one or more users of the system, such as security professionals or software developers. Optionally, the processing unit 201 provides the preferred security policy by saving the preferred security policy to one or more digital memories 203 . Optionally, the processing unit 201 sends a message to at least one other processing unit via the network interface 202 to provide the preferred security policy. Some examples of messages sent through network interfaces are email messages and messages sent through instant messaging services. Optionally, the processing unit 201 provides the preferred security policy by displaying messages on one or more display devices 204 . Optionally, the processing unit 201 provides the preferred security policy by adding log entries in a log file or log of the system 200 . Optionally, the log file is a log file of the policy generation process that implements method 100.

Optionally, at 510, processing unit 201 identifies one or more unexpected results of execution of the software program, such as when providing the identified set of input values to the software program. Optionally, identify one or more unexpected results when the software program is executed in the software testing environment. Optionally, processing unit 201 identifies one or more unexpected results when no blocked access is identified in 330 . Optionally, processing unit 201 fails to identify an association between the one or more unexpected results and the one or more blocked accesses identified in 330 . In the event of failure to identify one or more blocked accesses or failure to identify an association, at 511 , processing unit 201 optionally provides, at 510 , one or more other users of the system, such as quality assurance professionals. Notification of one or more unexpected results identified in . Optionally, processing unit 201 determines that the identified security policy is the preferred security policy in the event one or more unexpected results fail to be identified in 510 .

Various embodiments are described for purposes of illustration only, but these descriptions are not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen to best explain the principles, practical applications, or technological advances of the present embodiments compared to technologies existing on the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

It is expected that many related surveillance data and computer resources will be developed during the life of this patent's expiring patent, and the scope of the terms "monitoring data" and "computer resources" is intended to include a priori all such new technologies.

As used herein, the term "about" means ±10%.

The terms "include," "have," and variations thereof mean "including, but not limited to." This term includes the terms "consisting of" as well as "consisting essentially of."

The phrase "consisting essentially of" means that the composition or method may include additional ingredients and/or steps, provided that the additional ingredients and/or steps do not materially alter the basic and Novel features.

As used herein, the singular forms "a," "an" and "the" include plural referents unless the context clearly dictates otherwise. For example, the term "a complex" or "at least one complex" may include a plurality of complexes, including mixtures thereof.

As used herein, the word "exemplary" means "serving as an example, instance, or illustration." Any embodiment described as "exemplary" is not necessarily to be construed as more preferred or advantageous than other embodiments, and/or to exclude the combination of features of other embodiments.

The word "optionally" as used herein means "provided in some embodiments and not provided in other embodiments." Any particular embodiment may include multiple "optional" features unless such features conflict.

Throughout this application, various embodiments may be presented in a range format. It should be understood that the description in range format is merely for convenience and brevity and should not be construed as a fixed limitation on the scope of the embodiments. Accordingly, descriptions of ranges should be considered to have specifically disclosed all possible subranges as well as individual values within said ranges. For example, a description of a range, such as from 1 to 6, should be deemed to have specifically disclosed that from 1 to 3, from 1 to 4, from 1 to 5, from 2 to 4, from 2 to 6, from 3 to 6, etc. subranges and individual numbers within that range such as 1, 2, 3, 4, 5 and 6. This applies no matter how broad the scope.

When a numerical range is indicated herein, this is intended to include any recited number (fractional or whole) within the indicated range. The phrases "a range between a first designated number and a second designated number" and "a range from a first designated number to a second designated number" are used interchangeably herein to mean that the first designated number and the second designated number are included. and all fractions and whole numbers in between.

It will be understood that certain features of embodiments that are, for brevity, described in the context of separate embodiments, can also be provided in combination in a single embodiment. Conversely, various features of embodiments that are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable sub-combination or as appropriate in any other described embodiment. Certain features described in the context of various embodiments are not considered essential features of those embodiments, except to the extent that the embodiment is not operable without these elements.

Although the embodiments have been described in conjunction with specific examples thereof, it is evident that many alternatives, modifications and variations will be apparent to those skilled in the art. It is therefore intended to cover all such alternatives, modifications and variations that fall within the spirit and broad scope of the appended claims.

It is the applicant's intention that all publications, patents, and patent applications mentioned in this specification are incorporated by reference in this specification in their entirety, as if each individual publication, patent, or patent application were so individually referred to. References are specifically and individually indicated when incorporated herein by reference. Furthermore, citation or identification of any reference in this application shall not be construed as permitting such reference to take precedence over the present invention in the prior art. Section headings should not be construed as necessary qualifications as far as their use is concerned. Furthermore, the entire contents of any priority document or documents of this application are incorporated by reference into this application.

Claims (15)

1. A system for generating security policies for software programs, characterized in that the system includes a processing unit, wherein the processing unit is configured to: in each iteration of a series of policy construction iterations, Monitor execution of a software program by the system, wherein the system is configured to enforce an identified security policy that prevents the software program from accessing a plurality of blocked computer resources to generate a description of the software program's use of the Monitoring data of multiple accesses to multiple computer resources of the system; identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among the plurality of accesses; calculating a modified security policy to enable access by the software program to the at least one blocked computer resource; The system is instructed to be configured to execute the modified security policy as the identified security policy in a next iteration in the series of policy construction iterations. 2. The system of claim 1, wherein at least one of the plurality of blocked computer resources is selected from the computer resource list, wherein the computer resource list includes: At least one of: a memory area, a file, a device connected to the processing unit, an inter-process communication access point, a digital communication network resource and a service provided by an operating system executed by the processing unit. 3. The system of any one of claims 1 and 2, wherein in a first policy building iteration of the series of policy building iterations, the plurality of blocked computer resources are the The multiple computer resources of the system. 4. The system according to any one of claims 1 to 3, characterized in that the processing unit is also used for: determining that the identified security policy is the preferred security policy that failed to identify the at least one blocked access; The preferred security policy is provided to at least one user of the system. 5. The system of claim 4, wherein providing the preferred security policy includes at least one of the following: storing the preferred security policy in a non-volatile digital memory coupled to the processing unit; Add log entries to one or more of the following: a log file and the log of said system; sending a message to at least one other processing unit via a digital communications network interface connected to said processing unit; A message is displayed on a display device connected to the processing unit. 6. The system according to any one of claims 1 to 5, characterized in that the execution of the monitoring software program includes at least one of the following: monitoring logs of the system, executing commands and capturing digital communication network traffic. . 7. The system according to any one of claims 1 to 6, characterized in that the identified security policy includes a plurality of access entries; Wherein, the security policy of calculation modification includes: Compute at least one new access entry enabling the software program to access the at least one blocked computer resource; The at least one new access entry is added to the identified security policy. 8. The system according to any one of claims 1 to 6, characterized in that the identified security policy includes a plurality of access entries; Wherein, the security policy of calculation modification includes: Modifying at least one of the plurality of access entries enables the software program to access the at least one blocked computer resource. 9. The system according to any one of claims 1 to 6, characterized in that the identified security policy includes a plurality of access entries; Wherein, the security policy of calculation modification includes: Deleting at least one of the plurality of access entries from the identified security policy. 10. The system according to any one of claims 1 to 9, characterized in that: The identifying of at least one blocked access includes: Extract a plurality of access violation entries from the monitoring data; identifying at least one access violation entry among the plurality of access violation entries that indicates the at least one blocked access; Wherein, the security policy of calculation modification includes: extract at least one access value from the at least one access violation entry; The modified security policy is calculated using the at least one access value. 11. The system of any one of claims 1 to 10, wherein execution of the software program includes providing the software program with an identified set of input values. 12. The system of any one of claims 1 to 11, wherein the execution of the software program includes executing the software program in a software testing environment. 13. The system according to any one of claims 1 to 12, characterized in that the processing unit is also used for: identifying in the monitoring data at least one unexpected result of execution of the software program; Providing the at least one unexpected result to other users of the system who fail to recognize the at least one blocked access, or fail to recognize a correlation between the at least one blocked access and the at least one unexpected result. Notification of results. 14. A method for generating a security policy for a software program, characterized in that the method includes: in each iteration of a series of policy construction iterations, Monitoring the execution of a software program by a system for enforcing an identified security policy that prevents the software program from accessing a plurality of blocked computer resources to generate a statement describing the software program's use of the system Monitoring data of multiple accesses to multiple computer resources; identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among the plurality of accesses; calculating a modified security policy to enable access by the software program to the at least one blocked computer resource; The system is instructed to be configured to execute the modified security policy as the identified security policy in a next iteration in the series of policy construction iterations. 15. A software program product for generating a security policy for a software program, characterized in that the software program product includes: Non-transitory computer-readable storage media; First program instructions for monitoring the execution of a software program by a system, wherein the system is configured to execute an identified security policy to prevent the software program from accessing a plurality of blocked computer resources to generate a description of the Monitoring data of multiple accesses by software programs to multiple computer resources of the system; second program instructions for identifying at least one blocked access by the software program to at least one of the plurality of blocked computer resources among the plurality of accesses; third program instructions for calculating a modified security policy to enable access by the software program to the at least one blocked computer resource; fourth program instructions for instructing configuration of the system to execute the modified security policy as the identified security policy in a next iteration in the series of policy construction iterations; wherein the first, second, third and fourth program instructions are executed by at least one computerized processor from the non-transitory computer-readable storage medium.