COMPUTER DEVICE AND METHOD FOR CONTROLLING UNTRUSTED ACCESS TO A PERIPHERAL DEVICE

US 20160306963A1
Filed: 04/13/2016
Published: 10/20/2016
Est. Priority Date: 04/14/2015
Status: Active Grant

First Claim

Patent Images

1. A computer device, comprising:

a hardware layer comprising a processor, a memory, and a peripheral device;

an operating system executed by the hardware layer, wherein the operating system is configured to;

perform an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device;

operate a primary user account comprising a user process, wherein the device object is accessible by the user process; and

support a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process; and

an agent executed in cooperation with the operating system, wherein the agent is configured to;

apply security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account;

intercept a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device;

examine the request to selectively allow or deny access to the peripheral device from the secondary user account; and

satisfy the request, when the request is allowed, by arranging access to the device object.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer device includes hardware with a connected peripheral device such as a camera or a microphone. An operating system is configured to operate the peripheral device using a device driver and a representative device object. An agent is configured to apply security attributes to the device object which permit access from a primary user account while preventing direct access to the device object by a secondary user account in a sandbox. The agent may intercept requests made toward the device object, examine each request, and then satisfy the request, when the request is allowed, by selectively arranging access to the device object from the sandboxed secondary user account.

Citations

20 Claims

1. A computer device, comprising:
- a hardware layer comprising a processor, a memory, and a peripheral device;
  
  an operating system executed by the hardware layer, wherein the operating system is configured to;
  
  perform an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device;
  
  operate a primary user account comprising a user process, wherein the device object is accessible by the user process; and
  
  support a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process; and
  
  an agent executed in cooperation with the operating system, wherein the agent is configured to;
  
  apply security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account;
  
  intercept a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device;
  
  examine the request to selectively allow or deny access to the peripheral device from the secondary user account; and
  
  satisfy the request, when the request is allowed, by arranging access to the device object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
- - 2. The computer device according to claim 1, wherein the security attributes of the device object are derived according to a security identifier of the secondary user account.
  - 3. The computer device according to claim 2, wherein the security attributes of the device object are derived according to the security identifier of the secondary user account to explicitly deny access to the peripheral device from the secondary user account.
  - 4. The computer device according to claim 1, wherein the security attributes of the device object are derived according to a security identifier of the primary user account.
  - 5. The computer device according to claim 4, wherein the security attributes of the device object are derived according to the security identifier of the primary user account to explicitly permit access to the peripheral device from the primary user account.
  - 6. The computer device according to claim 1, wherein the agent is configured to examine the request to selectively allow or deny access to the peripheral device from the secondary user account by checking a policy rule.
  - 7. The computer device according to claim 1, wherein the agent is configured to determine a type of the peripheral device and to apply the security attributes to the device object according to the type of the peripheral device.
  - 8. The computer device according to claim 1, wherein the agent is configured to determine when the peripheral device is newly-connected to the computer device and to apply the security attributes to the device object before the request from the secondary user account is made toward the device object.
  - 9. The computer device according claim 1, wherein the agent is configured to satisfy the request by acting as a proxy for the request, wherein the agent is configured to forward a proxy request in response to the request from the secondary user account.
  - 10. The computer device according to claim 1, wherein the agent is configured to satisfy the request by providing an impersonation token to the secondary user account.
  - 20. A non-transitory computer readable storage medium having recorded thereon instructions which, when implemented by a computer device, cause one or more of the computer device to perform the method of claim 11 and the computer device to be arranged as set forth in claim 1.

11. A method for controlling access to a peripheral device on a computer device, the method being implemented by hardware of the computer device including at least a processor and a memory, the method comprising:
- supporting an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device, by an operating system of the computer device;
  
  operating a primary user account comprising a user process, wherein the device object is accessible by the user process;
  
  establishing a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process;
  
  applying security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account;
  
  intercepting a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device;
  
  examining the request to selectively allow or deny access to the peripheral device from the secondary user account; and
  
  satisfying the request, when the request is allowed, by arranging access to the device object.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method according to claim 11, wherein the security attributes of the device object are derived according to a security identifier of the secondary user account.
  - 13. The method according to claim 12, wherein the security attributes of the device object are derived according to the security identifier of the secondary user account to deny access to the peripheral device from the secondary user account.
  - 14. The method according to claim 11, wherein the security attributes of the device object are derived according to a security identifier of the primary user account.
  - 15. The method according to claim 14, wherein the security attributes of the device object are derived according to the security identifier of the primary user account to permit access to the peripheral device from the primary user account.
  - 16. The method according to claim 11, wherein the method further comprises determining a type of the peripheral device and applying the security attributes to the device object according to the type of the peripheral device.
  - 17. The method according to claim 11, wherein the method further comprises determining when the peripheral device is newly-connected to the computer device and applying the security attributes to the device object before the request from the secondary user account is made toward the device object.
  - 18. The method according to claim 11, wherein satisfying the request comprises acting as a proxy for the request, comprising forwarding a proxy request in response to the request from the secondary user account.
  - 19. The method according to claim 11, wherein satisfying the request comprises providing an impersonation token to the secondary user account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avecto Limited (BeyondTrust Corp.)
Original Assignee
Avecto Limited (BeyondTrust Corp.)
Inventors
AUSTIN, Mark James, GOODRIDGE, John

Granted Patent

US 10,078,751 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/57   Certifying or maintaining t...

H04L 67/306   User profiles

COMPUTER DEVICE AND METHOD FOR CONTROLLING UNTRUSTED ACCESS TO A PERIPHERAL DEVICE

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

COMPUTER DEVICE AND METHOD FOR CONTROLLING UNTRUSTED ACCESS TO A PERIPHERAL DEVICE

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links