Techniques for permitting access across a context barrier in a small footprint device using global data structures
First Claim
Patent Images
1. A small footprint device comprising:
- at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized; and
a global data structure for permitting one program module to access information from another program module by bypassing said context barrier.
1 Assignment
0 Petitions
Accused Products
Abstract
A small footprint device can securely run multiple programs from unrelated vendors by the inclusion of a context barrier isolating the execution of the programs. The context barrier performs security checks to see that principal and object are within the same namespace or memory space and to see that a requested action is appropriate for an object to be operated upon. Each program or set of programs runs in a separate context. Access from one program to another program across the context barrier can be achieved under controlled circumstances by using a global data structure.
50 Citations
50 Claims
-
1. A small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized; and
a global data structure for permitting one program module to access information from another program module by bypassing said context barrier. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
-
-
2-22. -22. (canceled)
-
34. A method of operating a small footprint device that includes a processing machine, wherein program modules are executed on the processing machine, the method comprising:
-
separating contexts using a context barrier;
controlling execution, by said context barrier, of at least one instruction of one of said zero or more sets of instructions comprised by a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first one of one or more separate contexts and whether said at least one instruction is requesting access to an instance of an object definition associated with a second one of said one or more separate contexts, said separating further comprising;
preventing said access if said access is unauthorized; and
enabling said access if said access is authorized;
executing groups of one or more program modules in separate contexts, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions, wherein each different context owns at least one group of said groups associated with said different context and further wherein each context comprising a protected object instance space such that at least one of said object definitions is instantiated in association with a particular context; and
permitting access to information across said context barrier by bypassing said context barrier using a global data structure. - View Dependent Claims (35, 36, 37)
-
-
38. A method of permitting access to information on a small footprint device from a first program module to a second program module separated by a context barrier, said small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized, the method comprising;
creating a global data structure which may be accessed by at least two program modules; and
using said global data structure to permit access to information across said context barrier by bypassing said context barrier. - View Dependent Claims (39, 40)
-
-
41. A method of communicating across a context barrier separating program modules on a small footprint device, said small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized, the method comprising;
creating a global data structure;
permitting at least one program module to write information to said global data structure; and
having at least one other program module read information from said global data structure, bypassing said context barrier. - View Dependent Claims (42, 43)
-
-
44. A computer program product, comprising:
-
a memory medium; and
a computer controlling element comprising instructions for implementing a context barrier on a small footprint device and for bypassing said context barrier using a global data structure, said small footprint device comprising;
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized. - View Dependent Claims (45)
-
-
46. A computer program product, comprising:
-
a memory medium; and
a computer controlling element comprising instructions for separating a plurality of programs on a small footprint device by running them in respective contexts and for permitting one program to access information from another program by bypassing a context barrier using a global data structure, said small footprint device comprising;
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized. - View Dependent Claims (47)
-
-
48. A carrier wave carrying instructions for implementing a global data structure for bypassing a context barrier on a small footprint device over a communications link, said small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized.
-
-
49. A carrier wave carrying instructions over a communications link for separating a plurality of programs on a small footprint device by running them in respective contexts and for permitting one program to access information from another program using at least one global data structure, said small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized.
-
-
50. A method of transmitting code over a network, comprising transmitting a block of code from a server, said block of code comprising instructions for implementing a global data structure for bypassing a context barrier on a small footprint device over a communications link, said small footprint device comprising:
-
at least one processing element configured to execute each group of groups of one or more program modules in a different context, said one or more program modules comprising zero or more sets of executable instructions and zero or more sets of data definitions, said zero or more sets of executable instructions and said zero or more data definitions grouped as object definitions;
a memory comprising instances of objects; and
a context barrier for separating and isolating said contexts wherein each different context owns at least one group of said groups associated with said different context and further wherein said each context comprises a protected object instance space such that at least one of said object definitions is instantiated in association with that context, said context barrier configured for controlling execution of at least one instruction of one of said zero or more sets of executable instructions of a program module based at least in part on whether said at least one instruction is executed for an object instance associated with a first context and whether said at least one instruction is requesting access to an instance of an object definition associated with a second context different from said first context, said context barrier further configured to prevent said access if said access is unauthorized and to enable said access if said access is authorized.
-
Specification