Abstract: The invention relates to a system and method for efficient security runtime. If the same security demand for permissions occurs twice during the same code path (i.e. execution stack) the latter can be automatically turned (optimized) into a security assertion based on the former demand. A security runtime can determine which assertions to establish in a call stack, using declarative security information kept in an assembly metadata and based on execution history to know what has already been demanded for a specific stack frame. If the method being called has been allowed to execute before then a demand may be replaced with an assertion for the same permissions within the call stack. If that frame was executed then it means the security demand was successfully evaluated. Furthermore, if the permission evaluation result is known to be static (e.g.

Abstract: System and method for accurately determining security policy for an application based on dynamic code analysis of application runtime execution(s). A dynamic recorder, dynamic code analyzer and security policy analyzer can evaluate and determine the security decisions and access to secure resources made during a security event within one or more executions of an application in order to identify an existing security policy that best matches an application's security needs. Security events may be analyzed to determine which security decisions and access to secure resources are necessary and which can be eliminated or replaced with alternative decisions or resources.

Abstract: The present invention allows shell program to be managed with security policies and enforced using sandboxes enforced by the security manager of a managed environment. The additional security policies may come from shell tool specific security policies, application specific security policies, resource based security policies, shell based policies, owner based policies, user based policies and/or other types of policies. Security policies may be merged to provide a managed shell more permission granularity in addition to existing machine policies.