Restricted transmogrifying driver platform

US 9,075,985 B2
Filed: 05/31/2013
Issued: 07/07/2015
Est. Priority Date: 05/31/2013
Status: Active Grant

First Claim

Patent Images

1. A method implemented by a computing device, the method comprising:

obtaining a transmogrifying driver contained in a driver package having a designated format associated with a driver security platform;

recognizing the designated format of the driver package upon installation based at least in part on identifying data included with the driver package;

in response to said recognizing, registering the transmogrifying driver with the driver security platform implemented by the computing device;

instantiating a restricted execution environment for the transmogrifying driver via the driver security platform; and

executing the transmogrifying driver within the restricted execution environment to perform one or more tasks at the direction of the driver security platform.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A restricted transmogrifying driver platform is described herein. In one or more implementations, a platform is provided that enables a restricted execution environment for virtual private network (VPN) drivers and other transmogrifying drivers. The platform may be implemented as an operating system component that exposes an interface through which drivers may register with the platform and be invoked to perform functions supported by the platform. The restricted execution environment places one or more restrictions upon transmogrifying drivers that operate via the platform. For instance, execution may occur in user mode on a per-user basis and within a sandbox. Further, the platform causes associated drivers to run as background processes with relatively low privileges. Further, the platform may suspend the drivers and control operations of the driver by scheduling of background tasks. Accordingly, exposure of the transmogrifying drivers to the system is controlled and limited through the platform.

14 Citations

View as Search Results

20 Claims

1. A method implemented by a computing device, the method comprising:
- obtaining a transmogrifying driver contained in a driver package having a designated format associated with a driver security platform;
  
  recognizing the designated format of the driver package upon installation based at least in part on identifying data included with the driver package;
  
  in response to said recognizing, registering the transmogrifying driver with the driver security platform implemented by the computing device;
  
  instantiating a restricted execution environment for the transmogrifying driver via the driver security platform; and
  
  executing the transmogrifying driver within the restricted execution environment to perform one or more tasks at the direction of the driver security platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as described in claim 1, wherein the transmogrifying driver is executed in user mode.
  - 3. A method as described in claim 1, wherein the transmogrifying driver is executed on a per-user basis.
  - 4. A method as described in claim 1, wherein the restricted execution environment establishes an application container configured to isolate the transmogrifying driver to restrict access by the transmogrifying driver to system resources.
  - 5. A method as described in claim 4, wherein the application container is further configured to deny access to the transmogrifying driver by components that are not associated with the driver security platform.
  - 6. A method as described in claim 1, wherein the restricted execution environment comprises a background process for the transmogrifying driver for which scheduling of tasks is handled by the driver security platform.
  - 7. A method as described in claim 1, wherein the restricted execution environment is configured to suspend the transmogrifying driver in the absence of explicit invocation of the transmogrifying driver to perform tasks by the driver security platform.
  - 8. A method as described in claim 1, wherein the restricted execution environment is configured to selectively enable operations of the transmogrifying driver in dependence upon user consent.
  - 9. A method as described in claim 1,wherein said obtaining the transmogrifying driver is performed over a network from an application store of a service provider.
  - 10. A method as described in claim 1, wherein the transmogrifying driver is configured to transform data from one form to another.
  - 11. A method as described in claim 1, wherein the driver security platform is implemented as component of an operating system for the computing device.
  - 12. A method as described in claim 1, wherein the transmogrifying driver comprises a virtual private network (VPN) driver configured to encapsulate and decapsulate packet for VPN communications over a network.

13. One or more computer-readable storage media storing instructions that, when executed by one or more components of a computing device, implement a driver security platform configured to perform operations including:
- obtaining a transmogrifying driver transmogrifying driver contained in a driver package having a designated format associated with a driver security platform;
  
  recognizing an association of the transmogrifying driver with the driver security platform based at least in part on identifying data included with the driver package;
  
  in response to said recognizing, ascertaining a set of tasks enabled for the transmogrifying driver through the driver security platform;
  
  establishing an execution environment that restricts operation of the transmogrifying driver to the set of tasks that are enabled through the driver security platform; and
  
  controlling operation of the transmogrifying driver through the execution environment that restricts operation of the transmogrifying driver to the set of tasks that are enabled.
- View Dependent Claims (14, 15, 16, 17)
- - 14. One or more computer-readable storage media as recited in claim 13, wherein:
    - the transmogrifying driver comprises a virtual private network (VPN) driver; and
      
      the set of tasks that are enabled through the driver security platform for the VPN driver is restricted to connect, disconnect, encapsulate, and decapsulate tasks associated with VPN communications with a VPN server over a network.
  - 15. One or more computer-readable storage media as recited in claim 13, wherein controlling the operation of the transmogrifying driver includes:
    - invoking the transmogrifying driver to perform the set of tasks that are enabled; and
      
      suspending the transmogrifying driver in the absence of direction by the platform to perform tasks.
  - 16. One or more computer-readable storage media as recited in claim 13, wherein controlling the operation of the transmogrifying driver includes scheduling the set of tasks as background tasks that are brokered by the driver security platform.
  - 17. One or more computer-readable storage media as recited in claim 13, wherein the execution environment comprises a sandboxed application container that is executed in user mode on a per-user basis and assigned a low privilege token configured to prevent system access except with respect to the set of tasks that are enabled.

18. A computing system comprising:
- one or more processing components;
  
  one or more computer-readable storage media storing instructions that, when executed by the one or more processing components, implement a driver security platform that restricts operation of at least one VPN driver including;
  
  a driver manager module to;
  
  obtain the VPN driver over a network from an application store of a service provider, the VPN driver contained in a driver package having a designated format associated with the driver security platform;
  
  recognize the designated format of the driver package upon installation based at least in part on identifying data included with the driver package including an identifier, code, or file extension;
  
  in response to said recognizing, establish an application container to contain the VPN driver that is executed in user mode on a per-user basis and assigned a low privilege token configured to prevent system access except with respect to a defined set of tasks that are explicitly enabled for the VPN driver by the driver security platform;
  
  a background manager to;
  
  instantiate a background process for the application container that contains the VPN driver;
  
  handle scheduling of the defined set of tasks via the background process; and
  
  suspended the background process other than when the defined set of tasks are being performed at the direction of the driver manager module; and
  
  an event broker to produce events to broker interaction between the VPN driver and system services to perform tasks that are scheduled via the background manager module.
- View Dependent Claims (19, 20)
- - 19. A computing system as described in claim 18, wherein the events produced by the event broker include user interface (UI) events for brokering of interactions with UI components exposed via the computing device.
  - 20. A computing system as described in claim 18, wherein the defined set of tasks that are explicitly enabled for the VPN driver by the driver security platform include one or more of connect, disconnect, encapsulate, and decapsulate tasks associated with VPN communications with a VPN server over a network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Diaz-Cuellar, Gerardo, Gupta, Dhiraj Kant
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US13/906,902
Publication Number

US 20140359706A1
Time in Patent Office

767 Days
Field of Search

726 1- 4, 726/16, 726/17, 726 21- 30, 709217-237, 719321-327
US Class Current

1/1
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/45   Structures or tools for the...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/70   Protecting specific interna...

H04L 63/08   for authentication of entit...

Restricted transmogrifying driver platform

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Restricted transmogrifying driver platform

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links