SYSTEM AND METHOD FOR HARDWARE ACCESS CONTROL

US 20080022376A1
Filed: 06/22/2007
Published: 01/24/2008
Est. Priority Date: 06/23/2006
Status: Abandoned Application

First Claim

Patent Images

1. A system for hardware access control comprising a virtual machine system including a client operating system, a virtual machine monitor and a hardware device, the system further comprises:

an access control module provided in the virtual machine monitor and configured to send an authorization request via a network after intercepting a device access instruction from the client operating system; and

an authorization management server configured to receive the authorization request from the access control module, judge whether the authorization request satisfies a predetermined authorization strategy and feed back a response corresponding to the authorization request to the access control module,wherein the access control module determines whether the client operating system is permitted to access the hardware device based on the feedback from the authorization management server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a system and method for hardware access control comprising a virtual machine system including a client operating system, a virtual machine monitor and a hardware device, the system further comprises: an access control module provided in the virtual machine monitor and configured to send an authorization request via a network after intercepting a device access instruction from the client operating system; and an authorization management server configured to receive the authorization request from the access control module, judge whether the authorization request satisfies a predetermined authorization strategy and feed back a response corresponding to the authorization request to the access control module; wherein the access control module determines whether the client operating system is permitted to access the hardware device based on the feedback from the authorization management server. With the present invention, the access to the hardware device from the client operating system can be effectively controlled, and thus legal data copy can be guaranteed while prohibiting any illegal data copy.

72 Citations

View as Search Results

23 Claims

1. A system for hardware access control comprising a virtual machine system including a client operating system, a virtual machine monitor and a hardware device, the system further comprises:
- an access control module provided in the virtual machine monitor and configured to send an authorization request via a network after intercepting a device access instruction from the client operating system; and
  
  an authorization management server configured to receive the authorization request from the access control module, judge whether the authorization request satisfies a predetermined authorization strategy and feed back a response corresponding to the authorization request to the access control module,wherein the access control module determines whether the client operating system is permitted to access the hardware device based on the feedback from the authorization management server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, wherein the authorization request carries information including the name of the virtual machine system, the type of the hardware device to be accessed by the client operating system and the type of the hardware access instruction.
  - 3. The system of claim 2, wherein if the information carried by the authorization request doesn'"'"'t satisfy the predetermined authorization strategy, the authorization management server feeds back to the access control module an authorization request response for rejecting access, and the access control module in turn rejects the access to the hardware device from the client operating system.
  - 4. The system of claim 3, wherein the access control module further feeds back to the client operating system a response for rejecting access at the time of rejecting the access from the client operating system.
  - 5. The system of claim 2, wherein if the information carried by the authorization request satisfies the predetermined authorization strategy, the authorization management server feeds back to the access control module an authorization request response for permitting access, and to the access control module in turn allows the access to the hardware device from the client operating system.
  - 6. The system of claim 1, wherein the authorization management server records the authorization request while making judgment on the authorization request.
  - 7. The system of claim 6, wherein the authorization management server further records the authorization request response.
  - 8. The system of claim 1, wherein access mode information for each hardware device is stored in nonvolatile storage medium of the virtual machine system, said virtual machine monitor further includes an information acquisition module, andsaid access control module sends to the information acquisition module a request for acquiring access control information for the device after the virtual machine monitor intercepts the device access instruction from the client operating system;
    - said information acquisition module acquires the access control information including access mode information based on the request sent by the access control module and sends the acquired information to the access control module; and
      
      based on the obtained access control information, said access control module generates a corresponding control command to control the access to the device from the client operating system.
  - 9. The system of claim 8, wherein said virtual machine monitor further includes an device switching module for performing device switching based on the control command by the access control module.
  - 10. The system of claim 8, wherein said virtual machine system further includes an access mode setting module for setting access mode information correspondingly based on different application environments.
  - 11. The system of claim 10, wherein said access mode setting module is provided in a service operating system and/or the client operating system.
  - 12. The system of claim 8, wherein the access mode information for the hardware device stored in the nonvolatile storage medium is also saved in a predetermined region in a memory, and said information acquisition module acquires the access mode information from the predetermined region in the memory.
  - 13. The system of claim 8, wherein said access control information further includes device status information and auxiliary control information.
  - 14. The system of claim 13, wherein said device status information is stored in the predetermined region in the memory.

15. A method for hardware access control comprising steps of:
- intercepting a request for accessing a hardware device from a client operating system and generating a corresponding authorization request;
  
  judging whether the authorization request satisfies a predetermined authorization strategy and generating a response corresponding to the authorization request; and
  
  permitting or rejecting the access to the hardware device from the client operating based on the authorization request response.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23)
- - 16. The method of claim 15, wherein the authorization request response indicates the client operating system is permitted to access the hardware device if the authorization request satisfies the predetermined authorization strategy, otherwise it indicates the client operating system is rejected to access the hardware device.
  - 17. The method of claim 15, wherein the authorization request carries information including the name of the virtual machine system, the type of the hardware device to be accessed by the client operating system and the type of the hardware access instruction.
  - 18. The method of claim 15, wherein the authorization request is recoded at the time of judging whether the authorization request satisfies the predetermined authorization strategy.
  - 19. The method of claim 18, wherein the authorization request response is recorded at the time of permitting or rejecting the client operating system to access the hardware device.
  - 20. The method of claim 15, further comprising:
    - storing in a predetermined region in a memory predetermined device access information stored in nonvolatile storage medium.
  - 21. The method of claim 20, further comprising:
    - an access control module obtains a device ID and sends to an information acquisition module a request for acquiring access control information for the device;
      
      the information acquisition module acquires the access control information including predetermined device-sharing mode information based on the device ID and sends the acquired information to the access control module; and
      
      based on the access control information, the access control module decides whether the client operating system is permitted to access the device.
  - 22. The method of claim 21, wherein said step of the access control module deciding whether the client operating system is permitted to access the device based on the access control information includes:
    - if the device access mode is overall sharing mode, the access control module permits directly the access from the client operating system sending the device access instruction;
      
      orif the number of client operating systems accessing the device is limited in the device access mode, the access control module judges whether the number of the client operating systems currently accessing the device is less than the defined number and permits the access from the client operating system sending the device access instruction if the answer is yes, otherwise rejects said access, or rejects the access from a client operating system having a priority lower than that of the client operating system sending the device access instruction and permits the access from the latter, or rejects the access from a client operating system which exceeds the time for access and permits the access from the client operating system sending the device access instruction;
      
      orif there is limitation on any client operating system accessing the device in the device access mode, the access control module judges whether the client operating system sending the device access instruction is consistent with the client operating system permitted to access and permits the access from the former if it is consistent, otherwise rejects the access from it.
  - 23. The method of claim 22, wherein said predetermined access mode information is set through steps of:
    - acquiring the access mode information from the nonvolatile storage medium or the predetermined region in the memory in which the access mode information is stored; and
      
      after modifying the access mode information, updating the access mode information stored in the nonvolatile storage medium and the predetermined region in the memory with the modified access mode information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Original Assignee
Lenovo (Beijing) Limited (Lenovo Group Ltd.)
Inventors
KE, KE, Liu, Jiancheng

Application Number

US11/767,266
Publication Number

US 20080022376A1
Time in Patent Office

Days
Field of Search
US Class Current

726/5
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2115   Third party

SYSTEM AND METHOD FOR HARDWARE ACCESS CONTROL

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

72 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR HARDWARE ACCESS CONTROL

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

72 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links