Securing Sensitive Data Executed By Program Scripts In A Computing Device

Abstract

The present invention relates to the security of sensitive data executed by program files in a computing device. A first file comprising of a sequence of instructions that can be configured onto the memory and executed by a processor is stored in a storage device of the device. A suitable program comprising a sequence of instructions is configured on memory and coupled to an encrypted credential store only accessible to the program instance being executed by a processor. A encrypted data store coupled to above said program is provided on the device's storage device. The successful execution of said first file requires access to sensitive data such as but not limited to passwords, API keys or other sensitive parameters, which are provided at run-time by the program coupled to the encrypted credential store.

Claims

1. A computing device comprising of: a first file, such as but not limited to a program script, stored in a storage device comprising of a sequence of instructions that can be configured onto the memory and executed by a processor, wherein: the successful execution of said script's sequence of instructions requires access to sensitive data such as but not limited to passwords, API keys or other sensitive parameters, and; said sensitive data is provided at script run-time by a suitably provided program configured to secure sensitive data required for the successful execution of said script's sequence of instructions; a suitable program comprising a sequence of instructions configured on memory and coupled to an encrypted credential store only accessible to the program instance being executed by a processor, wherein: the said program is capable of accessing sensitive data in the encrypted data store without revealing the access or decryption keys, and; said program is capable of of storing sensitive data in the encrypted data store inaccessible to any external programs or processes; an encrypted data store coupled to above said suitable program, and comprising of sensitive data only accessible to the said program and no external programs or processes; a memory; a processor, and; a storage device.

2. The computing device as in claim 1, wherein said suitable program is capable of detecting the execution of provided first file, by the processor and to provide access to sensitive data such as access keys to said script at run-time.

3. The computing device as in claim 1, wherein said suitable program is capable of detecting the execution of provided first file by the processor and to remove access to sensitive data such as access keys to said script wherein said script is not being executed.

4. The computing device as in claim 1, wherein said suitable program is capable of causing the execution of provided first file such as a program script by the processor and to provide access to sensitive data such as access keys to said script at run-time.

5. The computing device as in claim 2, wherein said suitable program is capable of creating a temporary file on the storage device containing sensitive data to provide access to sensitive data such as access keys wherein execution of provided first file by the processor is detected.

6. The computing device as in claim 5, wherein said suitable program is capable of removing said temporary file created on the storage device containing sensitive data for providing access to sensitive data such as access keys wherein execution of provided first file by the processor is stopped.

7. The computing device as in claim 1, wherein said suitable program is capable of providing access to sensitive data such as access keys to said script wherein said script is being executed in certain conditions only, including but not limited to time, date, or any such conditions detectable by said program for example users logged into the device.

8. The computing device as in claim 1, wherein said sensitive data in said encrypted data store is tracked by a publicly available unique identifier that is not related to stored credentials.

9. The computing device as in claim 1, wherein said program is capable of allowing a user access to it, and by extension the encrypted data store without revealing the contents of the store to any other external programs and processes.

10. A method of secure execution of sensitive data executed by a file such as program script, the method comprising of: storing a first file such as a program script in a storage device, the file comprising of a sequence of instructions that can be configured onto the memory and executed by a processor, wherein: the successful execution of said file's sequence of instructions requires access to sensitive data such as but not limited to passwords, API keys or other sensitive parameters, and; said sensitive data is provided at run-time by a suitably provided program configured to secure sensitive data required for the successful execution of said file's sequence of instructions; executing a suitable program comprising a sequence of instructions configured on memory and coupled to an encrypted credential store only accessible to the program and its process, wherein the execution of said program by the processor enables accessing sensitive data in the encrypted data store by the first file such as a program script at run-time without revealing the access or decryption keys to the encrypted data store.

11. The method as in claim 10, wherein said suitable program is capable of allowing a user access to it, and by extension the encrypted data store without revealing the contents of the store to any other external programs and processes.

12. The method as in claim 10, wherein said program is capable of storing sensitive data in the encrypted data store inaccessible to any external programs or processes.

13. The method as in claim 10, wherein said program is capable of determining the execution of said first file such as a program script stored in storage device.

14. A method performed by a suitable program configured on memory and executed by a processor, the method comprising of: receiving sensitive data such as API keys, access credentials or passwords; storing received sensitive data in an encrypted data store; determining the execution of a first file, such as a program script, stored on device that requires access to said stored sensitive data; receiving a request from said first file stored on device for said sensitive data, and; providing access to said sensitive data during said first file run-time.

15. The method as in claim 14, wherein said stored sensitive data is identifiable by a unique identifier.

16. The method as in claim 15, wherein said file requests said program access to said sensitive data using said sensitive data unique identifier.

17. The method as in claim 14, further comprising receiving a conditional mechanism wherein access to said sensitive data is limited to only certain conditions including but not limited to the date, time or any such conditions determinable by said suitable program.

18. The method as in claim 17, further comprising sending an alert if conditions for access are breached by a stored first file such as a program script.

19. A method of providing secure execution of sensitive data executed by a file such program script, the method comprising of: providing a suitable program configured on the memory and coupled to an encrypted data store on the memory of a computing device, such that data in the data store is not accessible to external programs and processes; providing of credentials or other sensitive data to the program for storage in the encrypted data store, each credential tracked by a unique identifier; providing of an executable file on the storage device configurable on memory with an executable sequence of instructions to be performed by the processor, and; providing to the executable file the access to sensitive data at run-time by the suitable program coupled to encrypted data store.

Description

BRIEF DESCRIPTION OF FIGURES

[0020] The invention is further described with respect to the embodiment as drawn in the accompanying figures:

[0021] FIG. 1 of the diagrams illustrates a device configuration for secure sensitive data execution by program scripts.

[0022] FIG. 2 of the diagrams is a method of secure execution of sensitive data by a program script.

[0023] FIG. 3 of the diagrams is a method performed by a suitable program according to this invention.

[0024] FIG. 4 of the diagrams is a method described embodying how the invention is used.

DETAILED DESCRIPTION OF THE INVENTION

[0025] For purposes of this disclosure, file and script could be used interchangeably

[0026] In a first embodiment according to FIG. 1 of the diagrams it is illustrated a device configuration for secure sensitive data execution by program files executed by the processor of a device. The devices comprises of a processor 1, a memory 2, a storage device 3 and a bus 4. In the invention, a first file such as a program script 30 stored in the storage device, whereby the file comprises of a sequence of instructions that can be configured onto the memory and executed by the processor. To sully execute its objective, the successful execution of said file's sequence of instructions by the processor when loaded on the memory requires access to sensitive data such as but not limited to passwords, API keys or other sensitive parameters. Such an objective could be the decryption of data required by the running of the instructions, access to a protected resource such as an application programming interface (API) or any such protected resources that require confidential and sensitive data for their access, or which by themselves would be considered sensitive such as but not limited to credit card information required to complete a payment instruction.

[0027] Typically, such sensitive data is provided to the file or script in either plain text, or as a hidden file in what is commonly known as the environment variables. However, even the hidden file would be accessible by an actor logged into the computing device. As such, said sensitive data required for successful execution of the script by the processor is provided at script run-time by a suitably provided program configured to provide access to sensitive data required for the successful execution of said script's sequence of instructions. In its essence, a suitable program that provides access to sensitive data is any such program comprising a sequence of instructions configured on memory and coupled to an encrypted credential store 40 only accessible to the program instance being executed by the processor. The program is capable of accessing sensitive data in the encrypted data store without revealing the access or decryption keys, and is also capable of of storing sensitive data in the encrypted data store inaccessible to any external programs or processes. In its essence, the program is needed with self-encrypted data whereby the key to access the encrypted credential store 40 must not be visible from outside, therefore the key must e.g be compiled inside the program and be protected against decompilation or other methods of analysis. Alternatively, the access key could be protected using any such suitable method, such as a key that is stored in a filesystem for which only the program has access to. It is not preferable that it is protected with a password with which the program and its data can be access from outside.

[0028] Further still, the suitable program could be made capable of detecting the execution of the provided first file such as a program script 30 by the processor and to provide access to sensitive data such as access keys or password to said script at run-time. For instance, by detecting the running processes, the program could subsequently avail access to the sensitive data to the process running the first file such as a program script. It could also be configured to remove access to the sensitive data such as access keys to said script wherein said script is not being executed. The program could further be configured capable of causing the execution of provided first file such as a program script by the processor and to provide access to sensitive data such as access keys to said script at run-time. Notably, the access could be a set of parameters passed to the first file such as a program script during its run-time, or a temporary file created by the program on the storage device containing sensitive to provide access to sensitive data such as access keys. In the case where a file is created, the program is capable of removing said temporary file created on the storage device containing sensitive data to remove access to sensitive data such as access keys where the execution of provided first file such as a program script by the processor is stopped.

[0029] The provision of access to sensitive data by the suitable program 20, may further depend upon certain conditions such as time, date, or any such conditions detectable by said program for example users logged into the device. Moreover, the sensitive data in the encrypted data store 40 could be tracked by a publicly available unique identifier, public in the context of the processing environment, that is not related to stored credentials. For the purposes of creating, removing and altering the contents of the encrypted data store 40, a suitable mechanism of accessing the program is provided. The program is capable of allowing a user access to it, and by extension the encrypted data store without revealing the contents of the store to any other external programs and processes, external in the context of the processing environment of the device.

[0030] In a second embodiment according to FIG. 2 of the diagrams is an illustration a method of secure execution of sensitive data executed by a program script. The first step 20 entails the storing a first file such as a program script 30 in a storage device 3, the script being comprised of a sequence of instructions that can be configured onto the memory and executed by a processor, whereby the successful execution of said script's sequence of instructions requires access to sensitive data such as but not limited to passwords, API keys or other sensitive parameters, and said sensitive data is provided at run-time by a suitably provided program configured to secure sensitive data required for the successful execution of said script's sequence of instructions in an encrypted data store 40. The second step 21 entails the executing a suitable program 20 comprising a sequence of instructions configured on memory and coupled to the encrypted credential store only accessible to the program and its processes. The execution of the program by the processor enables the provision of access to sensitive data in the encrypted data store by the first file such as a program script 30 at run-time without revealing the access or decryption keys to any external processes and programs. It is inherently important that the program 20 is capable of storing sensitive data in the encrypted data store inaccessible to any external programs or processes, or even capable of determining the execution of said first file such as a program script stored in storage device for fool-proof security.

[0031] In a further embodiment according to FIG. 3 of the diagrams is a method performed by a suitable program configured on memory and executed by a processor. In the first step 30 is the receiving sensitive data such as an access credential or password, preferably from a user with sufficient access privileges and authority to protect such sensitive data. The next step 31 is the storing received sensitive data in an encrypted data store, labeled 40 in the FIG. 1. The subsequent step 32 is the determining the execution of a script stored on device that requires access to said sensitive data. In 33, it is the step of receiving a request from said first file such as a program script 30 stored on device for said sensitive data, and finally in the step 34 is the provision of access to said sensitive data during said first file such as a program script's run-time. Noteworthy, the stored sensitive data could be identifiable by a unique identifier, whereby the first file such as a program script requests said program access to sensitive data using the sensitive data's unique identifier. Furthermore, conditional mechanism could be implemented, wherein access to said sensitive data is limited to only certain conditions including but not limited to the date, time or any such conditions determinable by said suitable program. It is also the object of this invention to send an alert if conditions for access are breached by a stored first file such as a program script 30.

[0032] In the final embodiment according FIG. 4 of the diagrams is a method described embodying how the invention is used. In the first step 40 is the configuration of a suitable program coupled to an encrypted data store on the memory of a computing device, such that data in the data store is not accessible to external programs and processes. In the subsequently step 41 is the provision of credentials or other sensitive data to the program for storage in the data store, each credential tracked by a unique identifier, preferably by a user with sufficient rights over the sensitive data. In the next step 42 is the provision of an executable script on the storage device configurable on memory with an executable sequence of instructions to be performed by the processor. The final step 43 is the provision to the executable script the access to sensitive data at run-time by the suitable program coupled to encrypted data store.

INDUSTRIAL APPLICATION

[0033] The current invention technology is applicable in the security industry.