System and method for restricting data transfers and managing software components of distributed computers

US 6,886,038 B1
Filed: 10/24/2000
Issued: 04/26/2005
Est. Priority Date: 10/24/2000
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and

a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein only one of the plurality of management agents can correspond to a top-level ownership domain at a time, and wherein any of the other management agents can revoke the top-level ownership domain.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A controller, referred to as the “BMonitor”, is situated on a computer. The BMonitor includes a plurality of filters that identify where data can be sent to and/or received from, such as another node in a co-location facility or a client computer coupled to the computer via the Internet. The BMonitor further receives and implements requests from external sources regarding the management of software components executing on the computer, allowing such external sources to initiate, terminate, debug, etc. software components on the computer. Additionally, the BMonitor operates as a trusted third party mediating interaction among multiple external sources managing the computer.

148 Citations

24 Claims

1. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein only one of the plurality of management agents can correspond to a top-level ownership domain at a time, and wherein any of the other management agents can revoke the top-level ownership domain.
- View Dependent Claims (2, 3, 4, 5, 13)
- - 2. A system as recited in claim 1, wherein the controller is further to terminate execution of a software engine in the system in response to a request from a management device corresponding to one of the plurality of management agents.
  - 3. A system as recited in claim 1, wherein the controller is further to initiate execution of a software engine in the system in response to a request from a management device corresponding to one of the plurality of management agents.
  - 4. A system as recited in claim 1, wherein the top-level ownership domain has a first set of rights, and wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights.
  - 5. A system as recited in claim 4, wherein the second set of rights is more restrictive than the first set of rights.
  - 13. A system as recited in claim 1, wherein the system comprises a node in a co-location facility.

6. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein one of the plurality of ownership domains is a top-level ownership domain having a first set of rights, wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights, and wherein the first set of rights includes;
  
  the right to create new ownership domains, the right to access system memory, the right to access a mass storage device of the system, the right to modify filters in the system, the right to start execution of software engines in the system, the right to stop execution of software engines in the system, the right to debug software engines in the system, the right to change authentication credentials for the ownership domain, the right to modify a storage key for the ownership domain, and the right to subscribe to events engine events, machine events, and packet filter events at the system.

7. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein one of the plurality of ownership domains is a top-level ownership domain having a first set of rights, wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights, and wherein the second set of rights includes;
  
  the right to revoke an existing ownership domain, the right to modify filters in the system, the right to change authentication credentials for the ownership domain, and the right to subscribe to machine events and packet filter events at the system.

8. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein one of the plurality of ownership domains is a top-level ownership domain having a first set of rights, wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights, and wherein the first set of rights includes;
  
  the right to create new ownership domains, the right to access system memory, the right to access a mass storage device of the system, and the right to modify filters in the system.

9. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein one of the plurality of ownership domains is a top-level ownership domain having a first set of rights, wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights, and wherein the second set of rights includes;
  
  the right to revoke an existing ownership domain and the right to modify filters in the system, including the right to add a filter that cannot be subverted by a management agent assigned to the top-level ownership domain.

10. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein one of the plurality of ownership domains is a top-level ownership domain having a first set of rights, wherein each of the other ownership domains in the plurality of ownership domains has a second set of rights, and wherein the controller allows a device corresponding to any one of the other ownership domains to revoke the top-level ownership domain, and wherein the controller erases a system memory during the revocation process.

11. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein only one of the plurality of management agents can correspond to a top-level ownership domain at a time, and wherein the one management agent can create a new ownership domain for a new management agent, and wherein the new ownership domain becomes the new top-level ownership domain.

12. A system comprising:
- an interface allowing management devices corresponding to a plurality of management agents responsible for managing the system to access the system; and
  
  a controller to operate as a trusted third party mediating interaction among the plurality of management agents by assigning each of the plurality of management agents to a different one of a plurality of ownership domains and restricting the rights of each ownership domain in the system, wherein only one of the plurality of management agents can correspond to a top-level ownership domain at a time, wherein which of the plurality of management agents corresponds to the top-level ownership domain at any given time can vary over time, and wherein the controller erases a system memory each time a change occurs in which of the plurality of management agents corresponds to the top-level ownership domain.

14. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights;
  
  restricting which requests from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent;
  
  allowing which of the plurality of management agents has the extended set of rights to change over time; and
  
  erasing a system memory each time a change occurs in which of the plurality of management agents has the extended set of rights.
- View Dependent Claims (15, 21, 22, 23, 24)
- - 15. A method as recited in claim 14, where each of the plurality of management agents corresponds to one or more management devices that are coupled to the computer.
  - 21. A method as recited in claim 14, further comprising:
    - assigning, by the one management agent having the extended set of rights, the extended set of rights to a new management agent;
      
      assigning the one management agent to having the more limited set of rights.
  - 22. A method as recited in claim 14, further comprising terminating execution of a software engine in the computer in response to a request from a management device corresponding the one management agent having the extended set of rights.
  - 23. A method as recited in claim 14, further comprising initiating execution of a software engine in the computer in response to a request from a management device corresponding to the one management agent having the extended set of rights.
  - 24. A method as recited in claim 14, wherein the computer comprises a node in a co-location facility.

16. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights, wherein the extended set of rights includes;
  
  the right to create new ownership domains, the right to access system memory, the right to access a mass storage device of the system, the right to modify filters in the system, the right to start execution of software engines in the system, the right to stop execution of software engines in the system, the right to debug software engines in the system, the right to change authentication credentials for the ownership domain, the right to modify a storage key for the ownership domain, and the right to subscribe to events engine events, machine events, and packet filter events at the system; and
  
  restricting which requests from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent.

17. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights, wherein the more limited set of rights includes;
  
  the right to revoke an existing ownership domain, the right to modify filters in the system, the right to change authentication credentials for the ownership domain, and the right to subscribe to machine events and packet filter events at the system; and
  
  restricting which requests from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent.

18. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights, wherein the extended set of rights includes;
  
  the right to create new ownership domains, the right to access system memory, the right to access a mass storage device of the system, and the right to modify filters in the system; and
  
  restricting which request from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent.

19. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights, wherein the more limited set of rights includes;
  
  the right to revoke an existing ownership domain and the right to modify filters in the system, including the right to add a filter that cannot be subverted by a management agent assigned to the top-level ownership domain; and
  
  restricting which requests from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent.

20. A method comprising:
- associating each of a plurality of management agents with one of a plurality of ownership domains, wherein each of the plurality of management agents is responsible for managing at least a portion of a computer and is external to the computer;
  
  allowing only one of the plurality of management agents to have an extended set of rights to the computer at a time, and assigning the remaining management devices a more limited set of rights, wherein the one management agent corresponds to a top-level ownership domain, and wherein any of the other management agents can revoke the rights of the one management agent; and
  
  restricting which requests from management devices corresponding to the plurality of management agents are carried out based at least in part on the rights of the management agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Tabbara, Bassam, Hunt, Galen C., Welland, Robert V., Hydrie, Aamer, Stutz, David S., Levi, Steven P.
Primary Examiner(s)
Cuchlinski, Jr., William A.
Assistant Examiner(s)
MANIWANG, JOSEPH R

Application Number

US09/695,820
Time in Patent Office

1,645 Days
Field of Search

709/223, 709/224, 709/227, 709/229, 709/249, 718/101, 713/200, 713/201, 713/202
US Class Current

709/223
CPC Class Codes

H04L 67/34 involving the movement of s...

H04L 69/329 in the application layer [O...

System and method for restricting data transfers and managing software components of distributed computers

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

148 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

System and method for restricting data transfers and managing software components of distributed computers

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

148 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others