Computer system security method and apparatus for creating and using program authorization information data structures

What is claimed is:

1. In a computer system including processing means for executing a plurality of programs and memory means coupled to said processing means for storing data and for storing at least one program, said computer system having a plurality of computer resources and being capable of performing a wide range of information processing related functions under program control, a method for protecting a computer user from operations typically performable by a program while it is executing on behalf of a user, comprising the steps of:

establishing a program authorizing information data structure for storing a plurality of authorization entries each indicating at least one of those computer resources and information processing related functions which may be used by an associated program;

storing said program authorizing information data structure; and

associating the program authorizing information data structure with at least one program to be executed by said computer system to thereby protect the computer user from operations that might be performed by said at least one program, whereby the program authorizing information is available to be monitored when its associated program is executed.

2. A method according to claim 1, further including the step of including a digital hash of said program to be executed as part of the program authorization information data structure.

3. A method according to claim 1, further including the step of digitally signing at least a part of the program authorization information data structure with the private key of an authorizing entity.

4. A method according to claim 3, wherein the digitally signing step includes indicating that a plurality of digital signatures are required in order for any digital signature to be valid.

5. A method according to claim 3, wherein the digitally signing step includes the step of indicating at least one qualification of authority which has been granted to the signer.

6. A method according to claim 1, wherein the program authorization information data structure is defined by a computer user before an associated program is executed.

7. A method according to claim 1, wherein the step of establishing provides an indication of at least a part of at least one data file to which the program may have access.

8. A method according to claim 7, wherein the indication of at least one data file includes an indication of the file by designating a portion of the file name.

9. A method according to claim 8, wherein said indication of the file by designating a portion of the file name, operates to define a set of files.

10. A method according to claim 1, wherein the step of establishing provides an indication of at least a subset of at least one file to which a program to be executed has access.

11. A method according to claim 1, wherein the step of establishing associates a set of files to which a program to be executed has access.

12. A method according to claim 1, wherein the step of establishing provides an indication of at least a subset of at least one file to which the program does not have access.

13. A method according to claim 1, wherein the step of establishing associates at least one file to which a program to be executed has access and indicates the ability to read information from said file.

14. A method according to claim 1, wherein the step of establishing associates at least part of one file to which a program to be executed has access and indicates the limitations in the ability to use said part.

15. A method according to claim 1, wherein the step of establishing provides an indication of at least one file to which a program to be executed has access and specifies the ability to write information in said at least one file.

16. A method according to claim 1, wherein the step of establishing provides an indication of the set of programs which are authorized to be invoked by said program.

17. A method according to claim 1, wherein the step of establishing associates the ability to invoke other programs which may have different authorizing information than the associated program with said associated program.

18. A method according to claim 1, wherein the step of establishing provides as indication of denying said associated program the ability to invoke other programs having different program authorizing information.

19. A method according to claim 1, wherein the establishing step provides an indication of the ability to invoke other programs restricted only by the limits of the calling program.

20. A method in accordance with claim 16, wherein the associated program authorizing information limits the effective program authorization of an invoked program by the combination of its own program authorizing information and that of the calling program.

21. A method according to claim 1, wherein the step of establishing associates an indication of the set of programs which are authorized to invoke said program.

22. A method according to claim 1, further including the step of limiting, using said stored program authorizing information associated with a program to be executed, the use of at least one of the resources and functions which would otherwise be available to said program.

23. A method according to claim 22, wherein the step of limiting includes limiting the resources and functions which are available to other programs which are invoked by the program which is being executed.

24. A method according to claim 1, wherein the step of establishing provides an indication of at least one rule governing the authority of said associated program to transmit information.

25. A method according to claim 24, wherein said at least one rule provides an indication of the authority to transmit information and the step of establishing includes the step of defining the ability to utilize electronic mail.

26. A method according to claim 24, wherein said at least one rule provides an indication of the authority to transmit information and the step of establishing includes the step of indicating a subset of all possible recipients.

27. A method according to claim 1, wherein the step of establishing provides at least one rule governing the program's ability to solicit digital signatures on behalf of the user.

28. A method according to claim 1, wherein the step of establishing provides at least one rule governing the program's ability to create digital signatures.

29. A method according to claim 28, wherein said at least one rule governs the ability to solicit digital signatures by defining the type of material to which the digital signature can be applied.

30. A method according to claim 28, wherein said at least one rule limits the information which may digitally signed to those involving a predetermined maximum amount of money value.

31. A method according to claim 1, wherein the step of establishing qualifies the ability of other programs to perform document release operations on behalf of the user.

32. A method according to claim 1, wherein at least one rule qualifies program operation to a subset of possible security classifications.

33. A method according to claim 1, wherein the step of establishing provides a qualification of the ability of said associated program to execute machine language instructions.

34. A method according to claim 1, wherein the step of establishing qualifies the set of memory which the said associated program is permitted to access.

35. A method according to claim 34, wherein the permission to access includes the ability to alter.

36. A method according to claim 34, further including indicating that a particular class of memory is alterable.

37. A method according to claim 1, wherein the step of establishing provides an indication of the set of qualifications governing the ability of a program to display information to the user.

38. A method according to claim 1, wherein the step of establishing provides an indication of the set of qualifications governing the ability of the program to solicit information from a user.

39. A method according to claim 1, wherein the step of establishing provides an indication of the set of qualifications governing the ability of a program to control computer controlled resources which are coupled to the computer.

40. A method according to claim 39, wherein said computer controlled resources includes robot apparatus.

41. A method according to claim 39, wherein the set of qualifications governs the ability of the program to transmit information via a modem.

42. In a computer system having means for executing a plurality of programs and a memory means coupled to said means for executing, for storing data and program instructions, said computer system being capable of performing a wide range of information processing related operations under program control, a method for executing programs by said means for executing for a computer user comprising the steps of:

identifying a program to be executed;

determining whether a program authorizing information data structure has been associated with the program, wherein said program authorizing information qualifies the ability of the program from performing information processing related operations which are available to said computer user;

examining said program authorizing information data structure if one has been associated with said program;

determining from an examination of said program authorization information whether the associated program is allowed to perform an attempted information processing related operation; and

suppressing performance of said operation if said program authorizing information data structure indicates that said program is not allowed to perform an attempted operation.

43. A method according to claim 42, further including the step of checking said authorization information prior to permitting said program to utilize a required computer system resource.

44. A method according to claim 42, further including the step of checking whether said program authorization information data structure allows the performance of an operation defined in said associated program.

45. A method according to claim 42, further including the step of checking to determine whether a user has been assigned the authority to run programs performing a predetermined operation.

46. A method according to claim 42, further including the step of creating a program control data structure for said program and storing authorizing information related indicia in said program control data structure.

47. A method according to claim 46, wherein said authorizing information related indicia is a pointer to said authorizing information.

48. A method according to claim 42, further including the step of assigning a default program authorization information if said determining step reveals that no valid authorizing information has been associated with said program.

49. A method according to claim 42, further including the step of verifying any digital signature associated with said program authorization information data structure.

50. A method according to claim 49, including the step of suppressing the execution of said program if said digital signature is not valid.

51. A method according to claim 49, further including the step of allocating storage for said program if said digital signature is valid.

52. A method according to claim 42, further including the step of combining the authorizing information of said program with the authorizing information associated with a routine calling said program.

53. A method according to claim 42, wherein said authorizing information data structure includes means for storing a hash of said program, and further including the step of computing the hash of said program and comparing the computed hash with said stored hash.

54. A method according to claim 42, further including the step of verifying the authority associated with the signer of a digital signature.

55. A method according to claim 42, further including the step of combining the authorizing information of said program with the authorizing information associated with a routine called by said program.

56. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to access.

57. A method according to claim 42, wherein said authorization information includes an indication of the set of fields of at least one file to which said associated program has the authority to access.

58. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has the authority to access and the nature of the operations on said data which the program is permitted to perform.

59. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to read.

60. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to process.

61. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to modify.

62. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to erase.

63. A method according to claim 42, wherein said authorization information includes an indication of the set of data to which said associated program has authority to transmit.

64. A method according to claim 42, wherein said authorization information includes an indication of whether said associated program has the ability to call programs.

65. A method according to claim 42, wherein said authorization information includes an indication of the set of programs which are allowed to invoke said associated program.

66. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of the associated program to generate electronic mail.

67. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said said associated program to transmit data to other users.

68. A method according to claim 42, wherein said authorization information includes an indication of the ability of the associated program to perform document release.

69. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to execute machine language programs.

70. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to access memory.

71. A method according to claim 42, wherein said authorization information includes as indication of at least one rule governing the authority of said associated program to display information to a user.

72. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to solicit input from a user.

73. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to create digital signatures.

74. A method according to claim 42, wherein said authorization information includes an indication of at least one rule governing the authority of said associated program to control other devices.

75. A method according to claim 74, wherein said other devices includes robot devices.

76. A method according to claim 42, wherein said authorization information includes an indication of at least one rule indicating that access is governed by a security clearance.

77. A method according to claim 42, wherein said authorization information is included as part of a digital signature.

Description Submit all comments and votes

FIELD OF THE INVENTION

The present invention generally relates to a method and apparatus for providing digital information with enhanced security and protection. More particularly, the invention relates to a method and apparatus for providing enhanced computer system security while processing computer programs, particularly those of unknown origin, which are transmitted among users.

BACKGROUND AND SUMMARY OF THE INVENTION

The potentially devastating consequences of computer "viruses" have been widely publicized. A computer virus may be viewed as a computer program which, when executed, results in the performance of not only operations expected by the user, but also unexpected, often destructive, operations built into the program. A computer virus may also be viewed as a program which, when executed, takes a part of its code and places such code in other programs to thereby infect the other programs. The virus may modify other programs within the system, set various traps in the system, alter various control programs, erase or otherwise modify files in the system, etc.

Such a virus is typically maliciously constructed to have such undesirable side effects which damage, probe or compromise the user's data in unexpected ways. Problems with computer viruses are often compounded by the fact that the virus controlling program is typically executed "implicitly" when the user accesses certain necessary data so that the user is not even aware that the destructive program is executing.

The present invention provides protection from such viruses and also from programs which execute on a system but which are not actual computer virus carriers. In this regard, a program may have an unintended, adverse impact on a computer system and/or associated data. For example, an executing program may inadvertently cause certain user data to be sent to a third party. Such a program may have been the result of a programming error or may have been intentionally designed to cause a particular problem.

Prior art operating systems are typically designed to protect data from computer users. In such systems, users are often assigned various authorities and are thereafter able to execute programs based on their associated authority. If a program is executing which exceeds the user's assigned authority, then such a system will halt execution of the program. Such prior art systems do not adequately protect computer users from computer viruses or the like.

There are security systems which protect certain "system" related files from being modified by a program. However, such systems do not typically protect a computer user from a program executing and modifying the user's own files.

The present invention is directed to providing reliable security, even when operating with complex data structures, e.g., objects, containing their own program instructions, which are transmitted among users. The present invention also provides enhanced security when processing more conventional programs, even those of questionable origin, e.g., from a computer bulletin board, without exposing system programs or data to the potentially catastrophic consequences of computer viruses or of incompetent programming.

The present method and apparatus utilizes a unique operating system design that includes a system monitor which limits the ability of a program about to be executed to the use of predefined resources (e.g., data files, disk writing capabilities etc.). The system monitor builds a data structure including a set of authorities defining that which a program is permitted to do and/or that which the program is precluded from doing.

The set of authorities and/or restrictions assigned to a program to be executed are referred to herein as "program authorization information" (or "PAI"). Once defined, the program authorization information is thereafter associated with each program to be executed to thereby delineate the types of resources and functions that the program is allowed to utilize. The PAI associated with a particular program may be assigned by a computer system owner/user or by someone who the computer system owner/user implicitly trusts.

The PAI defines the range of operations that a program may execute and/or defines those operations that a program cannot perform. The program is permitted to access what has been authorized and nothing else. In this fashion, the program may be regarded as being placed in a program capability limiting "safety box". This "safety box" is thereafter associated with the program such that whenever the system monitor runs the program, the PAI for that program is likewise loaded and monitored. When the program is to perform a function or access a resource, the associated PAI is monitored to confirm that the operation is within the defined program limits. If the program attempts to do anything outside the authorized limits, then the program execution is halted.

Thus, the present invention advantageously protects a user from any program to be executed. The present invention is particularly advantageous in light of current data processing practices where programs are obtained from a wide range of diverse, untrustworthy places such as computer bulletin boards or other users of unknown trustworthiness.

The present invention contemplates that the above-described PAI may be, together with the program itself (or a hash of the program), digitally signed by some entity that the user trusts. When digital signatures are used to validate the PAI, the aforementioned PAI monitoring will also involve verifying a digital signature on a PAI to ensure that it belongs to an entity trusted by the user and that it is properly authorized and that it and the associated program have not been tampered with.

The present invention contemplates the use of the hierarchical trust digital signature certification systems such as that described in the inventor's U.S. Pat. Nos. 4,868,877 and 5,005,200 which patents are hereby incorporated by reference herein. In accordance with the teachings of these patents, it is possible for a single high level authorizing entity to securely delegate the authority to authorize programs among a number of other entities and to require co-signatures at any level, thereby inhibiting the possibility of error, fraud by the authorizing agents themselves. This allows a single software validation group to service a large population, thereby substantially reducing the per capita expense to each user.

In one contemplated embodiment of the present invention, programs may be part of data objects, which are written in a high-level control language and are executed by a standardized interpreter program which executes this high-level language. In this case, part of the interpreter's task is to verify that the functions encountered in the high level logic are, in fact, permissible. If such tasks are not permissible, the interpreter then suppresses the execution of the program not authorized to perform such tasks.

Many advantages flow from the use of the present invention. For example, the present invention advantageously serves to bind limitations to programs so that it becomes impossible for covert programs or viruses to be introduced into the system. Users are protected through specifying details as to the functions that may be performed to ensure that programs which are intended for one function do not accidentally or intentionally cross-over and affect other unrelated or critical resources (so as to effect the spread of computer viruses). Through the use of the program authorization information in the manner described herein, it is possible for users to protect themselves against the programs they execute.

Administrative agents can effectively limit the scope of programs without the need to comprehend every aspect of the program's logic. Administrators can authorize and limit programs based on their intended functions and definitions to thereby reduce the dangers of program defects. In this fashion, the dangers of the distraught or mischievous programmer who might try to plant a software "time bomb" or virus can be limited.

The present invention also permits digital signatures to verify the PAI. Thus, programs can be freely and safely exchanged within a large population, where all members trust the common high-level signing authority.

Even programs with no known trustworthiness can be used after program authorization information associates a wide range of restrictions to thereby allow potentially beneficial programs to be safely used--even if they do not have an official certification of trust.

The present invention also allows an unlimited number of different resources and functions to be controlled. For example, some useful resources/functions which may be controlled include: the ability to limit a program to certain files or data sets; the ability to transmit data via electronic mail to someone outside the user's domain; the ability of a program to create or solicit digital signatures; the ability to limit access to a program of certain security classes, etc.

The present invention also provides the ability to limit whether a program can perform digital signature operations and limit how such signatures must be performed. In many cases, when a program is involved in soliciting a digital signature from a user, it is up to the program to make the user aware of the data to which the signature is being applied. Such is likely to be the case with electronic data interchange (EDI) transactions. In this case, it is conceivable for a mischievous application program to show the user one set of data and yet feed another set of data for signature. In this case, the program has tricked the user into digitally signing totally different information than that which the user has been led to believe. The present invention provides a mechanism which protects the user from programs which solicit digital signatures.

Through the use of the present invention, general object oriented data may be transferred from user to user without exposing users to the potential dangers of viruses or mischievous users.

BRIEF DESCRIPTION OF THE DRAWINGS

These as well as other features of this invention will be better appreciated by reading the following description of the preferred embodiment of the present invention taken in conjunction with the accompanying drawings of which:

FIG. 1 shows in block diagram form an exemplary communications system which may be used in conjunction with the present invention;

FIG. 2 is an illustration of a program authorization information data structure;

FIGS. 3A-3D illustrate exemplary methods for associating program authorization information with a program;

FIG. 4 is a general flowchart illustrating how a user may use the present invention in conjunction with a program of unknown origin;

FIG. 5 is an illustration of a program control block data structure in accordance with an exemplary embodiment of the present invention;

FIGS. 6, 7, 8, 9A and 9B are a flowchart delineating the sequence of operations of a program for establishing program authorization information;

FIGS. 10 and 11 illustrate the sequence of operations performed by a supervisor program in processing program authorization information.

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 1 shows in block diagram form an exemplary communications system which may be used in conjunction with the present invention. The system includes a communications channel 12 which may, for example, be an unsecured channel over which communications between terminals A, B, . . . N, may take place. Communications channel 12 may, for example, be a telephone line. Terminals, A, B, . . . N may, by way of example only, be IBM PC's having a processor (with main memory) 2 which is coupled to a conventional keyboard/CRT display 4. Additionally, each processor is preferably coupled to a non-volatile program and program authorization information (PAI) storage 7 which may be a disk memory device. Each terminal, A, B . . . N also includes a conventional IBM communications board (not shown) which when coupled to a conventional modem 6, 8, 10, respectively, permits the terminals to transmit and receive messages.

Each terminal is capable of generating a message performing whatever digital signature operations may be required and transmitting the message to any of the other terminals connected to communications channel 12 (or a communications network (not shown), which may be connected to communications channel 12). The terminals A, B . . . N are also capable of performing signature verification on each message as required.

FIG. 2 is an illustration of an exemplary program authorization information (PAI) data structure. The PAI includes a set of authorizing specification segments 22-38 and a set of authorizing signature segments 40-48 (which may be optional in certain situations).

A header segment 20 precedes the authorizing specification segments, and defines the length of the program authorization information which follows. The field length information permits the programmer to readily determine the extent of the associated authorization information in memory. Thus, if, for example, an object-oriented data structure (to be described below in conjunction with FIG. 3C) were to be utilized, field 20 would serve to identify the point at which program authorization information segment 116 ends to locate program segment 118 shown in FIG. 3C.

Segments 22 and 24 are "hash" related segments. As will be appreciated by those skilled in the art, a "hash" is a "one-way" function in which it is computationally infeasible to find two data values which hash to the same value. For all practical purposes, the value obtained from applying the hashing function to the original aggregation of data is an unforgeable unique fingerprint of the original data. If the original data is changed in any manner, the hash of such modified data will likewise be different.

The hashing of related segments insures against the possibility that a properly authorized program in accordance with the present invention will be later tampered with to result in a modified program. By storing the program hash in segment 24, the hash may be later checked to insure that the associated program has not been modified after it has been authorized. In segment 22, an identifier is stored to uniquely identify a particular hashing algorithm.

The PAI may optionally include a segment 26 which identifies the type of program (or object) to, for example, indicate that the associated program is a machine language program, an executive program of a particular type, etc. By providing data identifying the type of program, the system is provided with some information regarding the nature of the operations to be performed by the program. Such information can provide an indication that something unexpected (and perhaps mischievous) is occurring. The PAI may also includes fields identifying the name of the program at the time it was signed (segment 28) and the data of authorization (segment 29).

Section 30 is a segment which defines the size of the following series of authorization related entries. This field allows the remaining entries to be delimited as desired.

Each authorization entry which follows includes a segment defining the size of the particular entry (32). Each entry likewise includes a segment 34 identifying the type of function or resource 34 to which it relates. A wide range of functions may be defined such as, for example, whether the program may have the right to authorize other programs to solicit digital signatures. Segment 36 specifies a specific function/resource falling within the generic type identified in segment 34. For example, specific user files may be designated in segment 36 to more specifically identify the "files" specified in segment 34. Segments 34 and 36 may, if desired, be combined in a single segment. The reference to "wild card" in segment 36 is intended to, for example, indicate that a program may access any file having a predetermined prefix or suffix. For example, a designation "A*" would indicate that the program may access any file identified by a tag beginning with "A". Similarly, the segment 36 may include an entry *DATA which may signify that the program may access any file ending with "DATA" or may alternatively signify that the program can not access the designated set of files. Such an entry may also indicate that the program can alter any program files. Segment 36 may thus specify not only what the program can do, but also what the program is not authorized to do.

Segment 38 shown in FIG. 2 specifies the level of authority which has been granted. For example, segment 38 may specify that the program is granted a level of authority permitting reading from a predetermined set of files, but is denied the authority to alter, or delete any such files.

If the PAI is to be made available to different users (by virtue of the program being transmitted to desired recipients), then it may become desirable for the PAI to be digitally signed. Even within a single organization, it may be desirable to include an optional authorization signature.

The authorization signature includes a signature segment 40. The signature segment 40 may include a reference to the signer's certificate, i.e., an identifier for identifying the signer's certificate. In accordance with a preferred embodiment of the present invention, such a digital certificate is a digital message created by a trusted entity which contains the user's public key and the name of the user (which is accurate to the entity's satisfaction) and possibly a representation of the authority which has been granted to the user by the party who signs the digital message. Such a signer's certificate is preferably created utilizing the teachings of the inventor's U.S. Pat. Nos. 4,868,877 and 5,005,200, which patents are hereby expressly incorporated herein by reference. In accordance with these patents, the certificate is constructed by the certifier to include the authority which is being granted and limitations and safeguards which are imposed including information which reflects issues of concern to the certifier, such as, for example, the monetary limit for the certifiee and the level of trust that is granted, to the certifiee. The certificate may also specify co-signature and counter signature requirements being imposed upon the certifiee, as specifically taught in the above-identified U.S. patents.

The signature segment 40 may also include the signing date, and algorithm identifiers for both the hash and public key. The segment 40 additionally includes the authority invoked for signing which specifies one or more authorities designated in a certificate to, for example, grant the authority to authorize programs to modify a predetermined file. Additionally, the signature will include a hash of the authorizing specification, e.g., including the entirety of segments 20 through 38 described above.

The result of the signer's private key operation on the items identified in segment 40 is stored in segment 42. This may be a standard digital signature such as defined in X.500 or may be in accordance with the enhanced digital signature teachings of the inventor's above-identified U.S. patents. Additional (a possible second to possible Nth) signatures (cosignatures) may be stored as indicated in segments 44, 46. Optionally, the authorization signature may also include the digital certificate for the above signatures in a segment 48. Alternatively, such certificates may be accessible from an identified data base (although it may be preferable to include the digital certificates for associated signatures so that signatures may be verified without the need to access any such data base). The segments 40 through 48 constitute the authorization seal which is associated with the authorization specification described above. All further details regarding the digital certification/digital signature techniques referenced herein may be performed with any digital signature technology including standard technology such as X.500 or enhanced technology such as in accordance with the above-identified U.S. patents.

In accordance with the present invention, a PAI is associated with programs to be executed. FIGS. 3A through 3D depict four exemplary approaches for associating program authorization information with a program. Turning first to FIG. 3A, this figure exemplifies how program authorization information is stored, under access control, in association with a program. FIG. 3A shows an exemplary schematic representation of a system's directory of programs. The directory includes data indicative of the name of each of the programs 1, 2, . . . N (80, 86 . . . 92, respectively).

Associated with each program name identifier is an indicator 82, 88, 94, respectively, which identifies the location on disk 98 of the associated program, for example, program 1 (104). Additionally, associated with each of the program related identifiers is an indicator 84, 90, . . . 96, respectively, which identifies the location of its associated program authorization information, e.g., PAI 1. Although the program authorization information, PAI 1, is depicted as being stored in a separate memory device 100, it may, if desired, be stored in the same memory media as its associated program. As indicated above, the program authorization information associated with a program may or may not be digitally signed depending upon whether the program authorization information has been generated by the user himself (in which case it may need not be signed) or has been generated by a third party in which case the PAI frequently should be signed.

FIG. 3B shows another approach to associating a PAI with a program. In this approach, the program authorization information 110 is embedded with a program 112. As described above in conjunction with FIG. 3A, the authorizing information may optionally be digitally signed depending upon the source of the PAI.

FIG. 3C shows an important application in which a PAI data structure is associated with a program according to an embodiment of the present invention. FIG. 3C shows an illustrative data structure for a secure exchangeable "object". The data structure may be signed by a trusted authority. The signing of such a data structure allows the object to be securely transmitted from user to user. Although the data structure shown in FIG. 3 is set forth in a general format, it may be structured as set forth in the inventor's copending application filed on Apr. 6, 1992 and entitled "Method and Apparatus for Creating, Supporting and Processing a Travelling Program" (U.S. Ser. No. 07/863,552, which application is hereby expressly incorporated herein by reference.

The data structure includes a header segment 114 which, by way of example only, may define the type of object that follows, e.g., a purchase order related object or any other type of electronic digital object. The program authorization information is embedded in a segment 116 which specifies the authorization for the object's program or programs in a manner to be described more fully hereinafter.

The data structure includes an object program(s) segment 118, which for example, may control the manner in which an associated purchase order is displayed so as to leave blanks for variable fields which are interactively completed by the program user. The object program might store such data and send a copy of itself together with accompanying data in a manner which is described in detail in the applicant's above-identified copending application. As indicated in FIG. 3C, the program may be divided into several logical segments to accommodate different uses of the object. For example, the program may present a different display to the creator of a digital purchase order, than it displays to subsequent recipients. When the program is received by a recipient designated by the program, the recipient invokes a copy of the transmitted program to, for example, control the display of the purchase order tailored to the needs of the recipient. The recipient may verify all received data and add new data and the program may then send itself via the recipient's electronic mail system to, for example, a user who will actually ship the goods purchased.

The data structure shown in FIG. 3C additionally includes data segments 120 associated with the object which include a "variables" segment and data files segment, preferably as described in the above-identified patent application. The data segment 120 may be partitioned such that data associated with each version or instance of the object will be separately stored and separately accessible, since different users may have different uses for the data structure shown in FIG. 3C. Therefore, the data will vary depending upon how it is collected from each user. The program 118, however, will preferably remain intact for each user. The trusted authority will sign the program together with the program authorization information (PAI) since it is the program itself which needs to be authorized rather than the data that is input in response to each execution of the program (since the data may change during each execution path and also since it is the program's responsibility to ensure that accurate digital signatures are properly collected on the input data).

FIG. 3D exemplifies a situation in which many users access the same program (image)--each having their own (possibly distinct) Program Authorization Information 129 associated with it and maintained in a specific file belonging to the user. FIG. 3D shows a system program directory 131, which identifies via an indicator associated with a program name, the location on a disk 132 of a program X. In this case, whenever program X is invoked by a user, the system checks to determine if the user has private PAI specification(s) (e.g., 133, 135, 137) that can be associated with that program. Thus, different users may limit a program according to their own needs and perception of trust. This can be useful, for example, when users with great inherent authority, or who have been granted access to very important information, must occasionally execute "pedestrian" programs for mundane purposes. In this case, it may be prudent for such critical users to define a "safety box" around some (or many, or all) "pedestrian" programs, so that such programs may not inadvertently contain "trojan horses" or other faults which might affect their own especially critical data.

Therefore, such users could define general PAI "association", so that a protecting PAI could be automatically associated with all programs--except perhaps the select trusted few programs which handle crucial data.

The present invention allows PAI information to be associated in any appropriate manner, so that in principle a user could define one or more levels of PAI which are then combined together with perhaps a more universal PAI, or with a PAI which was signed and supplied by the or manufacturer of this program.

The present invention contemplates that the association between a program and its PAI can be constructed very generally so that, if necessary, one program could be associated with multiple PAI's, or conversely, that one PAI could be applied to multiple programs; or s