METHOD AND SYSTEM TO DYNAMICALLY ALTER APPLICATION FUNCTIONALITY AT RUNTIME IN A CONSTRAINED AND SECURE MANNER
The present disclosure provides a method and system for dynamically updating an application functionality in a secure and constrained manner comprising a cloud service for generating dynamic code fragments and receiving reports, an agent manager in communication with the cloud service receiving code fragments from the cloud service and passing reports thereto, and an in-application agent in communication with the agent manager for receiving dynamic code fragments therefrom and passing reports thereto for dynamically updating the application functionality in which the in-application agent is embedded.
This application claims priority from U.S. Provisional Patent Application 61/866,191 filed Aug. 15, 2013.TECHNICAL FIELD
The present invention relates to methods and systems for dynamically altering application functionality, and is particularly concerned with using dynamic and in-application components.BACKGROUND
In almost all scenarios, updating software functionality requires the updating of the source code, and in some cases compiling the source code to produce a new artifact. In both cases, this will require a new release of the software unto the target machine. There are scenarios where it may be desirable to be able to update the functionality without needing this release step.
For example, some algorithms may need to be improved over time, certain classes of security bugs need to be fixed, or even certain features introduced or disabled. There is a need in the industry for a method and the system that allow for the above examples to be addressed without requiring a software release (installation/application restart) step.
Furthermore, there is a need to be able to perform said alterations, without compromising system security.SUMMARY
An object of the present invention is to provide a method and system for dynamic application updates at runtime, in a constrained and safe manner. Furthermore, the dynamic alteration of functionality can be constrained to only allowable operations/features such that certain security guarantees can be made.
In the present disclosure there is provided method and system for an agent library to be included into an application, either by the developer or at runtime by the runtime environment. The agent library is able to hook into various interfaces between the application and the different components in the environment, including custom defined interfaces.
These interfaces can vary significantly. In the case of a web application, such interfaces include, but are not limited to datastores (SQL/NoSQL/XML as well as other types of databases), caching services, other services exposed via an API mechanism, the application runtime environment, included application libraries, as well as other services that are components of a web application, such as an email server. In the case of a mobile app, the interfaces include but are not limited to the local datastore operations on the mobile device, the networking interface, or even an in-application custom defined interface (e.g. hook around user performing a certain operation). Each hook around an interface is able to call a chain of dynamic code fragments. For example, in a mobile application that processes photos taken with the mobile device, hooks are placed around the Camera's interface (the “save picture” functionality), and those hooks call functions (dynamic code fragments) to perform post processing on the photo just taken, before it is stored to the device.
The hooking mechanism is capable of working in cases where the runtime does not provide an instrumentation API. For example, the hooking mechanism may use “monkey patching” techniques or utilize a plugin/middleware mechanism provided by the language, framework or runtime of the particular application.
The present disclosure provides for these code fragments to be dynamic. That is, the code/logic implementing the functions (code fragments), which in turn are called by the hooks around particular interfaces can be modified at runtime without intervention by the developer. These functions are generated by the service side of the platform, and delivered via a secure channel to the agent library, where they are implemented.
The present disclosure also contains guarantees to certain security constraints. Specifically, while these code fragments are dynamic (i.e. modifiable at runtime without installation/restart/intervention)—there are constraints placed on what these fragments can do. For example, it may be desirable to eliminate generic input/output operations from such fragments. This can be accomplished by, but not limited to, use of a scripting engine to execute the code fragments, with said limitations in place. Alternatively, a virtual machine and runtime can execute said dynamic code fragments. The virtual machine and runtime will exclude the necessary operations to conduct input/output operations—for example.
Such a design will allow for the safe execution of dynamic code fragments within acceptable constraints: constraints that are by design sufficient to guarantee non-violation of security of operation.
In the example of the mobile device and picture processing application, new post processing effects and filters, for example, can be added dynamically by altering these dynamic code fragments.
There are constraints placed in the engine that prevent the accidental or malicious redirection of pictures to a remote server. For example, this could be accomplished by the use of a virtual machine runtime that exclude the network input/output operations. Specifically, only basic computation operations are allowed (load value from memory, store value to memory, all arithmetic operations). Hence, utilizing this invention, we are able to restrict the features of the processing filters to the nature of such filters: mathematical transformations on data structures.
Communication also flows in the other direction, from the agent library to the cloud service, and allows for the agent library to provide information to the cloud service.
In the example of the mobile device and the picture processing application, data about the geographic location of where the picture is taken can be sent to the cloud service.
In accordance with an aspect of the present disclosure there is provided a system for dynamically updating components comprising a cloud service for generating dynamic code fragments and receiving data, an agent manager in communication with the agent library sending dynamic code fragments to the agent library and passing data thereto, and an in-application agent in communication with the agent manager for receiving dynamic code fragments there from and passing reports thereto for dynamically updating an application in which the in-application agent is embedded.
The present invention will be further understood from the following detailed description with reference to the drawings in which:
In general, the present invention provides a technique for injecting dynamic code fragments into an applicationDefinitions
A dynamic code fragment is a set of instructions (a part of a software program) to be executed by an agent library.
A cloud service is a set of remote servers exposing an endpoint that collects relevant data from authenticated agent libraries via a secure channel, and generates dynamic code fragments to be executed by the virtual machine in the agent library.
An agent library (also known as in-application agent) is a software component that is included by the developer into the application directly or by the runtime environment, that provides the base functionality on the agent side to receive and execute dynamic code fragments, and is able to send requested information to the cloud service.
A report is any data communicated back from the agent library to the agent manager.
In operation, the in-app agent 150 receives dynamic code fragments 170 from the cloud service 110 via the agent manager 130. The dynamic code fragments 170 provide the new or modified functionality for the application. The in-app agent 150 also sends reports 180 to the agent manager 130. The agent manager 130 is responsible for the communications between the cloud service 110 and the application 160.
The real-time web dashboard 120 is provided to give the application developer or user an insight into any aspect of the dynamic code execution, for example_the performance of the application (to observe the effects of the dynamic code fragments on the application performance). The real-time web dashboard 120 also provides an interface for creating, editing, modifying, selecting and/or scheduling the delivery of the dynamic code fragments.
The cloud service 110 receives the reports 180 from the various agent managers 130 (only one shown in
In an example of the present disclosure, in operation, the agent library 210 uses a middleware mechanism 230 to hook into various points of the application 160 and the web application framework. The hooks 240 allow the processor 220 to inject dynamic code fragments 170, that it received from the cloud service 110 via the link manager 130 into these points in the program (application). In turn, these dynamic code fragments 170 allow reports 180 to be generated by the fragment processor 220 and to be sent by the in-app agent 150 back to the agent manager 130, who forwards these reports 180 to the cloud service 110 for the creation of new dynamic code fragments where necessitated or desirable.
The dynamic code fragments 170 may be used for updates, security patches, bug fixes or any other purpose. The dynamic code fragments are executable code that does not require the application to be shut down and restarted.
The dynamic nature of the method provides for altering the functionality of an application by injecting dynamic code fragments into the application based on what the cloud service 110 believes is most effective. Consequently, the cloud service is injecting new code (representing a new algorithm, feature, tool or functionality) into the in-app agents, which changes how each respective application behaves. This injection of code is automatic in the sense that it is done without developer intervention. Thus, the in-app agent provides an empty container at certain interfaces within the application to be filled (injected) with dynamic code fragments that are generated dynamically cloud side.
From the foregoing, it is apparent that the system may include a sandboxing mechanism to constrain the dynamic code fragments that may be executed. As an example, it may not be desirable to allow the dynamic code fragments to contain generic input/output operations, for security reasons, and to be restricted to computation algorithms only. As such, in an embodiment, the agent library disables all input/output operations such that dynamic code fragments are injected into the application cannot be compromised by a malicious agent to perform undesirable operations or export data. In other embodiments, the agent library may selectively disable some operations (such as input/output operations) to sandbox the new dynamic code fragments injected into the application.
The dynamic code fragments are executed by an agent library, which places such constraints on the dynamic code fragments. This sandboxing effect can be achieved by use of a scripting engine, or alternatively, a full virtual machine and runtime environment with a restricted instruction set.
Although the foregoing technology is best implemented using a cloud service 110, in other embodiments the cloud service may be replaced by a server cluster or even a single server. Each server is a computing device having a processor coupled to a memory and to a data communication port (e.g. modem, network adapter, etc.) for data communication with a network to which the server is connected. The server may include various input/output (I/O) devices and peripherals. The processor and memory cooperate to execute instructions in the form of software code for causing the computing device (server, cluster or cloud service as the case may be) to perform the acts or operations of the novel methods described herein.
Any of the methods disclosed herein may be implemented in hardware, software, firmware or any combination thereof. Where implemented as software, the method steps, acts or operations may be programmed or coded as computer-readable instructions and recorded electronically, magnetically or optically on a non-transitory computer-readable medium, computer-readable memory, machine-readable memory or computer program product. In other words, the computer-readable memory or computer-readable medium comprises instructions in code which when loaded into a memory and executed on a processor of a computing device cause the computing device to perform one or more of the foregoing method(s).
A computer-readable medium can be any means, memory device or medium that contains, records, or stores a computer program or application to be executed or run by a processor (or microprocessor) of a computer (or computing device or other instruction-execution apparatus). The computer-readable medium may be electronic, magnetic, optical, electromagnetic, infrared or any semiconductor system or device. For example, computer executable code to perform the methods disclosed herein may be tangibly recorded on a non-transitory computer-readable medium including, but not limited to, a floppy-disk, a CD-ROM, a DVD, RAM, ROM, EPROM, Flash Memory or any suitable memory card, etc. The method may also be at least partially implemented in hardware. A hardware implementation might employ discrete logic circuits having logic gates for implementing logic functions on data signals, an application-specific integrated circuit (ASIC) having appropriate combinational logic gates, a programmable gate array (PGA), a field programmable gate array (FPGA), etc.
This invention has been described in terms of specific embodiments, implementations and configurations which are intended to be exemplary only. Persons of ordinary skill in the art will appreciate, having read this disclosure, that many obvious variations, modifications and refinements may be made without departing from the inventive concept(s) presented herein. The scope of the exclusive right sought by the Applicant(s) is therefore intended to be limited solely by the appended claims.
1. A system for dynamically updating application functionality, the system comprising:
- an in-application agent for executing code fragments for dynamically updating the application functionality in which the in-application agent is embedded and for generating reports characterizing the application functionality;
- a cloud service for generating dynamic code fragments and receiving the reports;
- an agent manager in communication with the cloud service for receiving the dynamic code fragments from the cloud service and passing the dynamic code fragments received to the in-application agent and for receiving reports from the in-application agent and passing the reports received to the cloud service.
2. The system of claim 1 wherein the in-application agent includes a link manager for communications with the agent manager.
3. The system of claim 1 wherein the in-application agent includes hooks into the web application.
4. The system of claim 1 wherein the cloud service generates and updates the dynamic code fragments in response to application level and external data sources.
5. The system of claim 1 wherein upon receiving the new dynamic code fragments, the in-application agent updates a configuration to use the new dynamic code fragments.
6. The system of claim 1 wherein the in-application agent uses hooks to execute the code fragments.
7. The system of claim 1 wherein the in-application agent generates the reports locally.
8. A method of dynamically updating an application functionality, the method comprising:
- embedding an in-application agent into an application;
- generating dynamic code fragments in a cloud service;
- providing these generated fragments to the in-application agent;
- the in-application agent receiving these fragments for updating the functionality in which the in-application agent is embedded.
9. The method of claim 8 further comprising:
- the in-application agent executing new code fragments;
- generating a report; and
- sending it to the cloud service.
10. The method of claim 9 further comprising the step of the cloud service, upon receiving the report, having the possibility of generating a new code fragment and sending the new code fragment to the in-application agent.
11. The method of claim 8 further comprising:
- the cloud service receiving new information;
- generating new code fragments; and
- sending the new code fragments to the in-application agent; and
- the in-application agent executing the new code fragment.
12. A non-transitory computer readable medium comprising instructions in code which when stored in a memory of a computing device and executed by a processor of the computing device cause the computing device to:
- execute an in-application agent embedded in an application, the in-application agent including:
- an in-app library for storing dynamic code fragments;
- a fragment processor for adding the dynamic code fragments to the application and for generating one or more reports;
- a link manager for receiving new dynamic code fragments from a cloud service generated in response to the one or more reports;
- one or more hooks in the application enabling the processor to inject the new dynamic code fragments into the web application.
13. The computer readable medium of claim 12 wherein the link manager communicates with the cloud service by communicating via an encrypted link with an agent manager.
Filed: Aug 15, 2014
Publication Date: Jul 7, 2016
Inventor: Ahmad Zaid Al Hamami (Brossard)
Application Number: 14/912,023