COMPUTER DEVICE AND METHOD FOR CONTROLLING UNTRUSTED ACCESS TO A PERIPHERAL DEVICE
First Claim
1. A computer device, comprising:
- a hardware layer comprising a processor, a memory, and a peripheral device;
an operating system executed by the hardware layer, wherein the operating system is configured to;
perform an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device;
operate a primary user account comprising a user process, wherein the device object is accessible by the user process; and
support a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process; and
an agent executed in cooperation with the operating system, wherein the agent is configured to;
apply security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account;
intercept a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device;
examine the request to selectively allow or deny access to the peripheral device from the secondary user account; and
satisfy the request, when the request is allowed, by arranging access to the device object.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer device includes hardware with a connected peripheral device such as a camera or a microphone. An operating system is configured to operate the peripheral device using a device driver and a representative device object. An agent is configured to apply security attributes to the device object which permit access from a primary user account while preventing direct access to the device object by a secondary user account in a sandbox. The agent may intercept requests made toward the device object, examine each request, and then satisfy the request, when the request is allowed, by selectively arranging access to the device object from the sandboxed secondary user account.
-
Citations
20 Claims
-
1. A computer device, comprising:
-
a hardware layer comprising a processor, a memory, and a peripheral device; an operating system executed by the hardware layer, wherein the operating system is configured to; perform an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device; operate a primary user account comprising a user process, wherein the device object is accessible by the user process; and support a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process; and an agent executed in cooperation with the operating system, wherein the agent is configured to; apply security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account; intercept a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device; examine the request to selectively allow or deny access to the peripheral device from the secondary user account; and satisfy the request, when the request is allowed, by arranging access to the device object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 20)
-
-
11. A method for controlling access to a peripheral device on a computer device, the method being implemented by hardware of the computer device including at least a processor and a memory, the method comprising:
-
supporting an operation on the peripheral device using a device driver which drives the peripheral device and a device object as an object representing the peripheral device, by an operating system of the computer device; operating a primary user account comprising a user process, wherein the device object is accessible by the user process; establishing a secondary user account, derived from the primary user account, wherein the secondary user account isolates an untrusted process; applying security attributes to the device object which permit access to the device object by the primary user account while preventing direct access to the device object by the secondary user account; intercepting a request to selectively allow or deny access to the peripheral device from the secondary user account made toward the device object in relation to the operation of the peripheral device; examining the request to selectively allow or deny access to the peripheral device from the secondary user account; and satisfying the request, when the request is allowed, by arranging access to the device object. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
Specification