Lawrence H Koved

7076804, Jul 11, 2006

May 11, 2001

09/854031

Aaron Kershenbaum - New City NY, US
Lawrence Koved - Pleasantville NY, US
Marco Pistoia - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

G06F 17/30

726 30, 726 22, 726 26, 726 27, 713167

This invention provides methods and apparatus for determining a set of authorization usage for collection of code. By using a program graph, the present invention identifies the code within in bounded paths in the program graph that use authorization. The level of precision is able to identify authorization usage to the level of basic blocks, methods, classes or other collections of code. By using the analysis technique described in this invention, we can determine the authorizations needed by collections code, including Java applets, servlets, and Enterprise JavaBeans. By using the present invention, it is possible, prior to loading the mobile code, to prompt the administrator or end-user to authorize or deny the code access to restricted the resources, or determine whether authorization testing will be required.

7219341, May 15, 2007

Oct 31, 2002

10/285007

Ann Eleanor Dalton - Hants, GB
David Granshaw - Hants, GB
Matt Richard Hogstrom - Cary NC, US
Aaron Stephen Jay Kershenbaum - New City NY, US
Lawrence Koved - Pleasantville NY, US
Bert Laonipon - Raleigh NC, US
Simon Christopher Nash - Hampshire, GB
Marco Pistola - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

G06F 9/45

717154, 717151, 717155

A method, system and apparatus for performing selective data processing based upon a static analysis of the code of a compiled object. A compiled object, for example an enterprise bean, can be analyzed to determine how individual methods in the enterprise bean access specific objects. Those specific objects can include, for instance, data members of a class, or class objects passed into one or more individual methods of the enterprise bean. Where the individual methods of the enterprise bean do not mutate or otherwise change the state of the specific objects, those objects can be accessed by reference only. Importantly, where the specific objects are data fields linked to a table in a database as managed by a container managed persistence (CMP) bean, an update to the table will not be required when the static analysis of the enterprise bean otherwise indicates that the data fields are merely accessed, but not updated.

7237236, Jun 26, 2007

Aug 22, 2002

10/226871

Aaron Stephen Jay Kershenbaum - New City NY, US
Lawrence Koved - Pleasantville NY, US
Anthony Joseph Nadalin - Austin TX, US
Marco Pistoia - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

G06F 9/45

717154, 717151

A method and apparatus for automatically determining optimum placement of privileged code enablement locations in existing code are provided. A method invocation graph of existing code is generated and a static analysis of the method invocation graph is performed. The static analysis is used to analyze the permission propagation through chains of method invocations in the method invocation graph. When a method invocation in the method invocation graph satisfies one or more user definable criteria, the location in the method invocation graph is saved to a file that identifies recommended insertion points for a call to the authorization enablement code. This file may then be used to manually review the code to determine if a call to privileged mode enablement should actually be made at the identified locations. Alternatively, the call to privileged mode enablement may be automatically inserted at the indicated locations using refactoring.

7308717, Dec 11, 2007

Feb 23, 2001

09/792154

Lawrence Koved - Pleasantville NY, US
Magda M. Mourad - Yorktown Heights NY, US
Jonathan P. Munson - Chapel Hill NC, US
Giovanni Pacifici - New York NY, US
Marco Pistoia - Yorktown Heights NY, US
Alaa S. Youssef - Valhalla NY, US

International Business Machines Corporation - Armonk NY

G06F 7/04

726 27, 713152, 705 51, 705 52

A digital rights management (DRM) system and methodology for a Java client implementing a Java Runtime Environment (JRE). The JRE comprises a Java Virtual Machine (JVM) and Java runtime libraries components and is capable of executing a player application for presenting content that can be presented through a Java program (e. g. , a Java application, applet, servlet, bean, etc. ) and downloaded from a content server to the client. The DRM system includes an acquisition component for receiving downloaded protected contents; and a dynamic rights management layer located between the JRE and player application for receiving requests to view or play downloaded protected contents from the player, and, in response to each request, determining the rights associated with protected content and enabling viewing or playing of the protected contents via the player application if permitted according to the rights. By providing a Ad DRM-enabled Java runtime, which does not affect the way non-DRM-related programs work, DRM content providers will not require the installation of customized players. By securing the runtime, every Java™ player automatically and transparently becomes a DRM-enabled player.

7343620, Mar 11, 2008

Aug 13, 2003

10/639862

Lawrence Koved - Pleasantville NY, US
Anthony Joseph Nadalin - Austin TX, US
Marco Pistoia - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

H04L 9/00

726 2, 713167

A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.

7493602, Feb 17, 2009

May 2, 2005

11/119553

Trent R. Jaeger - Croton-on-Hudson NY, US
Lawrence Koved - Pleasantville NY, US
Liangzhao Zeng - Ossining NY, US
Xiaolan Zhang - New Caanan CT, US

International Business Machines Corporation - Armonk NY

G06F 9/44
G06F 9/45

717137, 717126

A unified program analysis framework that facilitates the analysis of complex multi-language software systems, analysis reuse, and analysis comparison, by employing techniques such as program translation and automatic results mapping, is presented. The feasibility and effectiveness of such a framework are demonstrated using a sample application of the framework. The comparison yields new insights into the effectiveness of the techniques employed in both analysis tools. These encouraging results yield the observation that such a unified program analysis framework will prove to be valuable both as a testbed for examining different language analysis techniques, and as a unified toolset for broad program analysis.

7496757, Feb 24, 2009

Jan 14, 2002

10/050083

Paul Harry Abbott - Stockbridge, GB
Lawrence Koved - Pleasantville NY, US
Anthony Joseph Nadalin - Austin TX, US
Marco Pistoia - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

G06F 21/00

713176, 713164, 713165, 713194

A software security system is arranged to verify the authenticity of each element of a Java Virtual Machine installation. A digital signature is attached to each file of the JVM installation. A loader (20) verifies the digital signature of the JVM DLL (30). The JVM DLL 30 then verifies the digital signature of each other DLL and configuration file to be loaded (40, 50, 60, 70), and only loads those files which have successfully verified digital signatures. In this way the security of the JVM is enhanced, a user has greater confidence that the Java applications will function correctly, and the detection of incorrect or damaged JVM installations is improved.

7810135, Oct 5, 2010

Jan 3, 2008

11/968673

Lawrence Koved - Pleasantville NY, US
Anthony Joseph Nadalin - Austin TX, US
Marco Pistoia - Yorktown Heights NY, US

International Business Machines Corporation - Armonk NY

H04L 9/00

726 2, 713167

A method and apparatus for implementing a new Permission for methods that perform callback operations are provided. The method and apparatus provide an AdoptPermission Permission type that allows a method to pass a Java 2 authorization test without having the specific required Permissions expressly granted to the method and without the method having the AllPermission Permission granted to it. With the apparatus and method, an AdoptPermission Permission type is defined that operates to allow a ProtectionDomain to “adopt” a required Permission. However, this adoption of a required Permission can only be performed if the ProtectionDomain of at least one method in the thread stack has been granted a Permission that implies the required Permission. Thus, the AdoptPermission Permission type provides an intermediate mechanism that is not as over-inclusive as the AllPermission Permission type and is not as under-inclusive as requiring that all methods in the thread stack include the required Permission expressly granted to them.