Security techniques for device assisted services
First Claim
1. A wireless end-user device, comprising:
- a wireless wide area network (WWAN) modem to receive and transmit Internet data between the device and at least one WWAN when configured for and connected to the at least one WWAN; and
one or more processors configured to execute one or more processes in a kernel execution partition, one or more processes in an application execution partition, and one or more processes in a protected execution partition,the one or more processes executed in the kernel execution partition including an operating system packet network stack to pass Internet data packet traffic between the WWAN modem and one or more applications executing in the application execution partition, an application identification agent to classify individual flows of the Internet data packet traffic passing through the stack according to which of the one or more applications is associated with a particular individual flow, a service measurement agent to measure, for classified individual flows, an amount of the Internet data packet traffic associated with each of the one or more applications, and a policy control agent to apply application-specific traffic policy controls to classified individual flows,the one or more processes executed in the protected execution partition including one or more device agents with limited privileges to access processes executing in the kernel execution partition, including a privilege to configure the application-specific traffic policy controls of the policy control agent, and a privilege to receive at least one of Internet data packet traffic passing between the operating system packet network stack and the WWAN modem, andtraffic information including the measured amount of the Internet data packet traffic associated with each of the one or more applications.
2 Assignments
0 Petitions
Accused Products
Abstract
A wireless end-user device has a wireless wide-area network (WWAN) modem and multiple execution environments. Applications execute in an application execution partition. A kernel execution partition executes processes for classifying, by application, traffic passing between the WWAN modem and the applications, measuring per-application traffic, and applying per-application traffic policies to the traffic. A separate protected execution partition contains agents to receive the traffic measurements, configure the traffic policies, and securely communicate with a network service controller. Low-level traffic measurement and control is advantageously and efficiently performed in the kernel, while the traffic-management processes that interface with the kernel are separately secured to resist hacking.
1337 Citations
18 Claims
-
1. A wireless end-user device, comprising:
-
a wireless wide area network (WWAN) modem to receive and transmit Internet data between the device and at least one WWAN when configured for and connected to the at least one WWAN; and one or more processors configured to execute one or more processes in a kernel execution partition, one or more processes in an application execution partition, and one or more processes in a protected execution partition, the one or more processes executed in the kernel execution partition including an operating system packet network stack to pass Internet data packet traffic between the WWAN modem and one or more applications executing in the application execution partition, an application identification agent to classify individual flows of the Internet data packet traffic passing through the stack according to which of the one or more applications is associated with a particular individual flow, a service measurement agent to measure, for classified individual flows, an amount of the Internet data packet traffic associated with each of the one or more applications, and a policy control agent to apply application-specific traffic policy controls to classified individual flows, the one or more processes executed in the protected execution partition including one or more device agents with limited privileges to access processes executing in the kernel execution partition, including a privilege to configure the application-specific traffic policy controls of the policy control agent, and a privilege to receive at least one of Internet data packet traffic passing between the operating system packet network stack and the WWAN modem, and traffic information including the measured amount of the Internet data packet traffic associated with each of the one or more applications. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
Specification