Access unit switching through physical mediation

US 8,146,138 B2
Filed: 12/15/2005
Issued: 03/27/2012
Est. Priority Date: 12/15/2005
Status: Active Grant

First Claim

Patent Images

1. A computer comprising:

a processor; and

a fast trusted access unit switch module stored in a virtual machine monitor of the computer and executable on the processor configured to;

verify identity of a user of a single account on a computing device including a fast trusted access unit switching module that enables the user to securely switch between a plurality of levels of allowable privilege and access rights;

determine the plurality of levels of allowable privilege and access rights which afforded to the user of the single account, the plurality of levels of allowable privilege and access rights includes at least a high level and a low level;

establish a plurality of access units on the computing device with each of the access units capable of having a plurality of levels of privilege and access rights;

grant access to the user of the single account to interface with the access unit, via the fast trusted access unit switch module, with the low level of privilege and access rights required to interface with the access unit; and

change the low level of privilege and access rights to the high level of privilege and access rights for the user of the single account when the user of the single account is required to interface with the access unit using the high level of privilege and access rights when the user initiates a first physical action that generates a signal that is provided to an isolation kernel via a trusted path; and

change the high level of privilege and access right to the low level of privilege and access rights for the user of the single account when the user of the single account is not required to interface with the access unit using the high level of privilege and access rights when the user initiates a second physical action that generates a signal that is provided to the isolation kernel via the trusted path.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plurality of access units may be established with varying levels of privilege and access rights, such that the user may perform tasks carrying with them a high risk of viral infection in an access unit with a low level of privilege and access rights. When an authenticated user desires to perform tasks requiring a higher level of privilege and access rights, the user may switch to an access unit having a higher privilege and access rights level by instigating a physical action. The physical action may include selecting a button (included in either a UI or on a peripheral device), or inputting biometric data to switch among running access units. A signal instigated by the physical action is transmitted along a trusted path between the isolation kernel and where the physical action was instigated.

30 Citations

View as Search Results

9 Claims

1. A computer comprising:
- a processor; and
  
  a fast trusted access unit switch module stored in a virtual machine monitor of the computer and executable on the processor configured to;
  
  verify identity of a user of a single account on a computing device including a fast trusted access unit switching module that enables the user to securely switch between a plurality of levels of allowable privilege and access rights;
  
  determine the plurality of levels of allowable privilege and access rights which afforded to the user of the single account, the plurality of levels of allowable privilege and access rights includes at least a high level and a low level;
  
  establish a plurality of access units on the computing device with each of the access units capable of having a plurality of levels of privilege and access rights;
  
  grant access to the user of the single account to interface with the access unit, via the fast trusted access unit switch module, with the low level of privilege and access rights required to interface with the access unit; and
  
  change the low level of privilege and access rights to the high level of privilege and access rights for the user of the single account when the user of the single account is required to interface with the access unit using the high level of privilege and access rights when the user initiates a first physical action that generates a signal that is provided to an isolation kernel via a trusted path; and
  
  change the high level of privilege and access right to the low level of privilege and access rights for the user of the single account when the user of the single account is not required to interface with the access unit using the high level of privilege and access rights when the user initiates a second physical action that generates a signal that is provided to the isolation kernel via the trusted path.
- View Dependent Claims (2)
- - 2. The computer of claim 1, wherein the fast trusted access unit switch module only allows the user to run access units having levels of privilege and access rights at or below the maximum level of privilege and access rights associated with the user.

3. One or more computer-readable devices having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- verifying the identity of a user of a single account on a computing device including a fast trusted access unit switching module that enables the user to securely switch between a plurality of levels of allowable privilege and access rights;
  
  determining the plurality of levels of allowable privilege and access rights which can be afforded to the user of the single account, the plurality of levels of allowable privilege and access rights includes at least a high level and a low level;
  
  establishing a plurality of access units on the computing device with each of the access units capable of having a plurality of levels of privilege and access rights;
  
  granting access to the user of the single account to interface with the access unit, via the fast trusted access unit switch module, with the low level of privilege and access rights required to interface with the access unit; and
  
  changing the low level of privilege and access rights to the high level of privilege and access rights for the user of the single account when the user of the single account is required to interface with the access unit using the high level of privilege and access rights when the user initiates a first physical action that generates a signal that is provided to an isolation kernel via a trusted path; and
  
  changing the high level of privilege and access right to the low level of privilege and access rights for the user of the single account when the user of the single account is not required to interface with the access unit using the high level of privilege and access rights when the user initiates a second physical action that generates a signal that is provided to the isolation kernel via the trusted path.
- View Dependent Claims (4, 5, 6, 7, 8, 9)
- - 4. The one or more computer-readable devices as recited in claim 3, wherein establishing a plurality of access units comprises allowing the user to choose from among a plurality of at least partially preset access units having levels of privilege and access rights not exceeding the high level of allowable privilege and access rights which can be afforded to the user.
  - 5. The one or more computer-readable devices as recited in claim 3, wherein establishing a plurality of access units comprises allowing the user to create a plurality of access units having levels of privilege and access rights not exceeding the high level of allowable privilege and access rights which can be afforded to the user.
  - 6. The one or more computer-readable devices as recited in claim 3, wherein each access unit comprises an instance of an operating system.
  - 7. The one or more computer-readable devices as recited in claim 3, wherein each access unit comprises a collection of interactive programs that are being used by the user.
  - 8. The one or more computer-readable devices as recited in claim 3, further comprising instructions therein that, when executed by a computing device, cause the computing device to display an access unit selection user interface allowing the user to see and select between all open access units.
  - 9. The one or more computer-readable devices as recited in claim 3, wherein allowing the user to switch between access units comprises receiving data from a peripheral device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Chen, YuQun, Peinado, Marcus
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
Mehedi, Morshed

Application Number

US11/275,146
Publication Number

US 20070143839A1
Time in Patent Office

2,294 Days
Field of Search

726/4, 713/200
US Class Current

726/4
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 21/629   to features or functions of...

Access unit switching through physical mediation

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

30 Citations

9 Claims

Specification

Use Cases

Quick Links

Others

Access unit switching through physical mediation

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

9 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others