Techniques for permitting access across a context barrier in a small footprint device using shared object interfaces

US 7,093,122 B1
Filed: 01/22/1999
Issued: 08/15/2006
Est. Priority Date: 01/22/1999
Status: Expired due to Term

First Claim

Patent Images

1. A small footprint device comprising:

a. at least one processing element on said small footprint device;

b. memory on said small footprint device, andc. a context barrier, on said small footprint device, for isolating program modules, on said small footprint device, from one another wherein said program modules use said memory and execute on said processing element,d. in which at least one program module contains one or more shared interface objects for permitting access by another program module across said context barrier.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A small footprint device can securely run multiple programs from unrelated vendors by the inclusion of a context barrier isolating the execution of the programs. The context barrier performs security checks to see that principal and object are within the same namespace or memory space or to see that a requested action is authorized for an object to be operated upon. Each program or set of programs runs in a separate context. Access from one program to another program across the context barrier can be achieved under controlled circumstances by using shared interface objects. Shared interface objects have a property that permits them to be accessed across the context barrier regardless of security restrictions that would otherwise apply. Shared interface objects, however, may enforce their own security rules independently of the context barrier.

Citations

38 Claims

1. A small footprint device comprising:
- a. at least one processing element on said small footprint device;
  
  b. memory on said small footprint device, andc. a context barrier, on said small footprint device, for isolating program modules, on said small footprint device, from one another wherein said program modules use said memory and execute on said processing element,d. in which at least one program module contains one or more shared interface objects for permitting access by another program module across said context barrier.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The small footprint device of claim 1 in which a program module is configured to specify a particular one of a plurality of shared interface objects to be accessed.
  - 3. The small footprint device of claim 1 in which a program module containing a shared interface object is configured to return a reference to a shared interface object across the context barrier.
  - 4. The small footprint device of claim 3 in which the program module containing a shared interface object is configured to perform one or more security checks before returning the reference to a shared interface object across the context barrier.
  - 5. The small footprint device of claim 3 in which a program module is configured to use the reference to a shared interface object to access the shared interface object across the context barrier.

6. A method of permitting access between program modules on different sides of a context barrier on a small footprint device, said method comprising:
- a. identifying at least part of one program module on one side of said context barrier as a shared interface object, andb. providing a reference to the shared interface object to a second program module on another side of said context barrier wherein said program modules use a memory of said small footprint device and execute on a processing element of said small footprint device.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 7. The method of claim 6 in which said reference is provided only if said one program module permits the reference to be returned after performing a security check.
  - 8. The method of claim 7 further comprising using said reference to access said shared interface object by the second program module.
  - 9. The method of claim 8 wherein the using said reference to access said shared interface object includes switching context to said second program module.
  - 10. The method of claim 6 in which said context barrier allocates a separate name space for each program module.
  - 11. The method of claim 10 in which said shared interface object can be accessed by program modules regardless of the name spaces in which the program modules are located.
  - 12. The method of claim 6 in which said context barrier allocates a separate memory space for each program module.
  - 13. The method of claim 12 in which said shared interface object can be accessed by program modules regardless of the memory spaces in which the program modules are located.
  - 14. The method of claim 13 in which a processing element runs each program module as a separate context.
  - 15. The method of claim 13 in which said context barrier enforces security checks on at least one of a principal, an object and an action.
  - 16. The method of claim 14 in which the context barrier performs at least one security check based on partial name agreement between a principal and an object.
  - 17. The method of claim 14 in which at least one security check is based on memory space agreement between a principal and an object.

18. A method of operating a small footprint device, comprising separating program modules, on said small footprint device, using a context barrier, on said small footprint device, and permitting access to shared interface objects across the context barrier wherein said program modules use a memory of said small footprint device and execute on a processing element of said small footprint device.
- View Dependent Claims (19)
- - 19. The method of claim 18 in which the context barrier prevents a principal from performing an action on an object unless both the principal and the object are part of a same context or the action is authorized for the object and in which a request for access to a shared interface object is always authorized.

20. A computer program product comprisinga memory medium having embedded therein instructions for implementing a context barrier on a small footprint device and for bypassing said context barrier using a shared interface object.

21. A computer program product, comprisinga memory medium having embedded therein instructions for separating a plurality of programs on a small footprint device by running the plurality of programs in respective contexts and for permitting one program to access one or more shared interface objects of another program.

22. A small footprint device comprising:
- a. at least one processing element on said small footprint device;
  
  b. memory on said small footprint device, andc. a context barrier, on said small footprint device, for isolating program modules, on said small footprint device, from one another wherein said program modules use said memory and execute on said processing element,d. in which at least one program module contains one or more shared interface objects which are unknown to at least one other program module across said context barrier.
- View Dependent Claims (23, 24)
- - 23. The small footprint device of claim 22 in which a program module is configured to query at least one context for a list of one or more shared interface objects that can be accessed.
  - 24. The small footprint device of claim 22 in which a program module containing at least one shared interface object is configured to return the identity of one or more shared interface objects across the context barrier.

25. A method of permitting access between a first program module and a second program module on different sides of a context barrier on said small footprint device, said method comprising:
- a. querying said second program module for the identity of one or more shared interface objects contained in said second program module,b. providing a reference to at least one shared interface object of said second program module to said first program module, andc. using said reference provided to said first program module to access said shared interface object of said second program module wherein said first and second program modules use a memory of said small footprint device and execute on a processing element of said small footprint device.
- View Dependent Claims (26)
- - 26. The method of claim 25, in which the providing includes selecting one of a plurality of shared interface objects from a list.

27. A method of permitting access between a first program module and a second program module on different sides of a context barrier on said small footprint device, said method comprising:
- a. obtaining the identity of one or more shared interface objects in said second program module,b. designating, using said first program module, a shared interface object of said second program module to be accessed across a context barrier, andc. returning a reference to said shared interface object to said first program module wherein said first and second program modules use a memory of said small footprint device and execute on a processing element of said small footprint device.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35)
- - 28. The method of claim 27 in which said first program module uses said reference to said shared interface object to access said object.
  - 29. The method of claim 28 in which the returning a reference to said shared interface object includes switching context to said second program module to obtain said reference.
  - 30. The method of claim 29 in which said second program module performs access to said shared interface object and returns said reference to said first program module if the first program module satisfies all security constraints.
  - 31. The method of claim 27 in which said context barrier allocates a separate name space for each program module.
  - 32. The method of claim 31 in which said shared interface object can be accessed by program modules regardless of the name spaces in which the program modules are located.
  - 33. The method of claim 27 in which said context barrier allocates a separate memory space for each program module.
  - 34. The method of claim 33 in which said shared interface object can be accessed by program modules regardless of the memory spaces in which the program modules are located.
  - 35. The method of claim 34 in which a processing element runs each program module as a separate context.

36. A method of operating a small footprint device, said method comprising:
- a. separating program modules using a context barrier on said small footprint device,b. querying one program module for the identity of at least one shared interface object contained in said one program module, andc. permitting access to one or more shared interface objects across the context barrier wherein said program modules use a memory of said small footprint device and execute on a processing element of said small footprint device.
- View Dependent Claims (37)
- - 37. The method of claim 36 in which the context barrier prevents a principal from performing an action on an object unless both the principal and the object are part of a same context or the action is authorized for the object and in which a request is for access to a shared interface object is always authorized.

38. A computer program product comprising a memory medium having embedded therein computer readable instructions for implementing a context barrier on a small footprint device, for querying a program module for the identity of any shared interface objects and for bypassing said context barrier using a shared interface object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Streich, Andy, Susser, Joshua, Butler, Mitchel B.
Primary Examiner(s)
Banankhah, Majid

Application Number

US09/235,159
Time in Patent Office

2,762 Days
Field of Search

709/100, 709/101, 709/102, 709/103, 709/104, 713/200, 713/201, 713/202, 713/232, 713/153, 713/159, 713/167, 380/45, 380/57, 380/255, 705/26, 705/27, 705/30, 718/100, 718/101, 718/102, 718/103, 718/104, 718/108, 719/200, 719/203, 719/315, 719/313
US Class Current

713/153
CPC Class Codes

G06F 21/556   involving covert channels, ...

G06F 2221/2153   Using hardware token as a s...

G06F 9/468   Specific access rights for ...

Techniques for permitting access across a context barrier in a small footprint device using shared object interfaces

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for permitting access across a context barrier in a small footprint device using shared object interfaces

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links