Generating rule-based access control policies using a bytecode instrumentation system

摘要

Instrumentation codes are inserted into predetermined portions of a bytecode. Every transaction referenced in the bytecode is virtually combined and arranged hierarchically to describe a virtual transaction stack describing the computer-based resources accessed during the transaction. Based at least on the origin of the transaction, the characteristics of the transaction and the computer-based resources accessed during the transaction, the sensitivity of the transaction, and the security context of each of the computer-based resources accessed during the transaction are determined. A policy store is searched for at least one access control policy referencing the transaction, or the computer-based resources requested accessed by the transaction. If such an access control policy is found, it is selectively modified to refer exclusively to the transaction and the corresponding sensitive computer-based resources. Otherwise, a new access control policy exclusively referencing the data-oriented transactions and the corresponding sensitive computer-based resources is created.