Configuration of isolated extensions and device drivers

US 8,074,231 B2
Filed: 06/30/2006
Issued: 12/06/2011
Est. Priority Date: 10/26/2005
Status: Active Grant

First Claim

Patent Images

1. A computer storage device having processor executable instructions that, when executed by a processor, perform a method comprising:

obtaining an untrusted device driver, wherein the untrusted device driver is a set of executable instructions;

determining a set of computing resources required for execution of the set of executable instructions of the untrusted device driver, wherein the determining act comprises obtaining a processor-readable manifest associated with the untrusted device driver, the device-driver manifest specifying the set of computing resources required for execution of the set of executable instructions of the untrusted device driver, the set of computing resources selected from a group consisting of a hardware resource, a memory, an input/output port, an interrupt request line, and an inter-process communication channel; and

providing one or more trusted local-access objects for use by the untrusted device driver for access to the required set of computing resources, the one or more trusted local-access objects being exclusive gateways that provide the only means of access to the required set of computing resources for the untrusted device driver, wherein the providing act, in response to the determining act, comprises generating one or more trusted local-access objects for use by the untrusted device driver for access to at least one computing resource of the required set of computing resources, the one or more trusted local-access objects being provided by an operating system and comprising executable instructions, wherein the generating of the one or more trusted local-access objects for access to at least one particular computing resource comprises;

obtaining a set of executable instructions associated with the at least one particular computing resource;

providing access for the untrusted device driver to the obtained set of executable instructions that is associated with the at least one particular computing resource; and

initiating execution of the set of executable instructions of the untrusted device driver and the executable instructions of the one or more trusted local-access objects.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some implementations, the operations of a software system may include the execution of untrusted device drivers. The execution of an untrusted device driver may be initiated when an untrusted device driver that is a set of executable instructions is obtained. A computing resource for the execution of the device driver may be further determined from a device-driver manifest of the untrusted device driver. Computing resources may include one or more of a hardware resource, a memory, an input/output port, an interrupt request line, and an inter-process communication channel. Trusted local access objects may be used by the untrusted device driver to access the computing resources.

Citations

13 Claims

1. A computer storage device having processor executable instructions that, when executed by a processor, perform a method comprising:
- obtaining an untrusted device driver, wherein the untrusted device driver is a set of executable instructions;
  
  determining a set of computing resources required for execution of the set of executable instructions of the untrusted device driver, wherein the determining act comprises obtaining a processor-readable manifest associated with the untrusted device driver, the device-driver manifest specifying the set of computing resources required for execution of the set of executable instructions of the untrusted device driver, the set of computing resources selected from a group consisting of a hardware resource, a memory, an input/output port, an interrupt request line, and an inter-process communication channel; and
  
  providing one or more trusted local-access objects for use by the untrusted device driver for access to the required set of computing resources, the one or more trusted local-access objects being exclusive gateways that provide the only means of access to the required set of computing resources for the untrusted device driver, wherein the providing act, in response to the determining act, comprises generating one or more trusted local-access objects for use by the untrusted device driver for access to at least one computing resource of the required set of computing resources, the one or more trusted local-access objects being provided by an operating system and comprising executable instructions, wherein the generating of the one or more trusted local-access objects for access to at least one particular computing resource comprises;
  
  obtaining a set of executable instructions associated with the at least one particular computing resource;
  
  providing access for the untrusted device driver to the obtained set of executable instructions that is associated with the at least one particular computing resource; and
  
  initiating execution of the set of executable instructions of the untrusted device driver and the executable instructions of the one or more trusted local-access objects.
- View Dependent Claims (2, 3, 4)
- - 2. The computer storage device as recited in claim 1, wherein the method further comprises confirming that the device driver is authorized to access the required set of computing resources.
  - 3. The computer storage device as recited in claim 1, wherein the set of executable instructions associated with the particular computing resource is provided by an operating system.
  - 4. The computer storage device as recited in claim 1, wherein the method further comprises providing an operating system.

5. A computer storage device having processor-executable instructions that, when executed by a processor, perform a method comprising:
- obtaining an untrusted device driver comprising a set of executable instructions and the untrusted device driver being configured to access one or more computing resources;
  
  before the set of executable instructions of the untrusted device driver are executed, determining one or more target computing resources that the untrusted device driver will seek to access when the set of executable instructions of the device driver are executed;
  
  providing one or more trusted local-access objects to the untrusted device driver so that the untrusted device driver gains access to the one or more target computing resources via the provided one or more trusted local-access objects, the trusted local access objects comprising a set of executable instructions having one or more data structures that provide an exclusive gateway to one or more target computing resources; and
  
  wherein each of the trusted local-access objects are associated with one or more computing resources and the method further comprises restricting access of the untrusted device driver to the one or more target computing resources and such restricted access occurs only via the one or more trusted local-access objects associated with the associated one or more target computing resources.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The computer storage device as recited in claim 5, wherein the method further comprises confirming that the untrusted device driver is authorized to access the one or more target computing resources.
  - 7. The computer storage device as recited in claim 5, wherein each of the trusted local-access objects are associated with one or more computing resources.
  - 8. The computer storage device as recited in claim 5, wherein the computing resources are selected from a group consisting of a hardware resource, memory, input/output port, interrupt request line, and inter-process communication channel.
  - 9. The computer storage device as recited in claim 5, wherein the method further comprises initiating execution of the executable instructions of the one or more of the untrusted device driver.
  - 10. The computer storage device as recited in claim 5, wherein the method further comprises providing an operating system.

11. A computer storage device having processor-executable instructions that, when executed by a processor, perform a method comprising:
- obtaining an untrusted program module comprising a set of executable instructions and the untrusted program module being configured to access one or more computing resources;
  
  before the set of executable instructions of the untrusted program module are executed, determining one or more target computing resources of the untrusted program module, wherein the one or more target computing resources are computing resources that the untrusted program module will seek to access when the set of executable instructions of the program module are executed;
  
  providing one or more trusted local-access objects to the untrusted program module so that the untrusted program module gains access to the one or more target computing resources via the provided one or more trusted local-access objects, the one or more trusted local-access objects comprising a set of executable instructions having one or more data structures that provide an exclusive gateway to the one or more target computing resources;
  
  permitting the program module to access the one or more target computing resources only via the one or more trusted local-access objects;
  
  preventing installation of the untrusted program module due to conflicts with another untrusted program module currently accessing one or more target computing resources via the one or more local-access;
  
  preventing startup of the untrusted program module upon failure to access one or more target computing resources because the one or more target computing resources is already allocated to another program module;
  
  preventing access to one or more computing resources that are not specified in the set of target computing resources required for execution of the set of executable instructions of the untrusted program module; and
  
  permitting stopping and restarting of the untrusted program module via the one or more local-access objects, while an operational operating system remains operational.
- View Dependent Claims (12, 13)
- - 12. The computer storage device as recited in claim 11, wherein the method further comprises confirming that the program module is authorized to access the one or more target computing resources.
  - 13. The computer storage device as recited in claim 11, wherein the untrusted program module is a device driver.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hunt, Galen C., Larus, James R., Hodson, Orion, Tarditi, David R., Spear, Michael, Carbin, Michael, Levi, Steven P., Fähndrich, Manuel A, Steensgaard, Bjame
Primary Examiner(s)
Ho, Andy
Assistant Examiner(s)
Mudrick, Timothy A

Application Number

US11/428,096
Publication Number

US 20070094673A1
Time in Patent Office

1,985 Days
Field of Search

719/321
US Class Current

719/321
CPC Class Codes

G06F 9/4411 Configuring for operating w...

Configuration of isolated extensions and device drivers

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Configuration of isolated extensions and device drivers

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links