Who is the assignee on this patent?

De Atley Dallas, Panther Heiko, Adler Mitchell, and 4 more

What technology area does this patent fall under?

Primary CPC classification G06F21/51. Mapped technology areas include Physics.

When was this patent published?

Publication date Tue Jun 06 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).

System and method of authorizing execution of software code based on at least one installed profile

US9672350B2 · US · B2

Patent metadata
Field	Value
Publication number	US-9672350-B2
Application number	US-39800109-A
Country	US
Kind code	B2
Filing date	Mar 4, 2009
Priority date	Mar 4, 2008
Publication date	Jun 6, 2017
Grant date	Jun 6, 2017

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

Embodiments include systems and methods for authorizing software code to be executed or access capabilities in secure operating environments. Profiles may be issued by trusted entities to extend trust to other entities to allow those other entities to provide or control execution of applications in a secure operating environment such as on particular computing devices. The profiles allow entities to add software code to the device without reauthorizing each distribution by a trusted authority such as testing, quality assurance, or to limited groups of devices controlled or authorized by the other entities.

First claim

Opening claim text (preview).

What is claimed is: 1. A computerized method of authorizing software on an electronic device including a processor, the method comprising: receiving, by a kernel executing in a trusted space of an operating system executing on the processor, a request to execute a software module stored on the electronic device, the software module created by a developer trusted to test software on the electronic device; communicating, by the kernel, data indicative of the software module to a policy service executing as a trusted process in an untrusted space of an operating system executing on the processor, the data indicative of the software module comprising at least one entitlement requested for executing the software module, and the policy service having been verified trusted upon execution; obtaining, by the policy service, a digest generated from at least one portion of executable instructions for the software module, the digest signed by the developer; identifying, by the policy service, one or more profiles for the developer associated with the software module, the one or more profiles created and signed by a trusted authority and comprising data indicative of at least one entitlement permitted for executing software created by the developer; authenticating, by the policy service, the at least one requested entitlement based at least in part on verifying the at least one requested entitlement against the at least one permitted entitlement in the one or more identified profiles and verifying the digest; communicating, by the policy service, the at least one requested entitlement to the kernel; and executing, by the kernel, the software module on the processor based on the at least one requested entitlement. 2. The method of claim 1 , wherein the software module comprises at least one of an application program and a shared library. 3. The method of claim 1 , wherein the digest is generated based on a plurality of digest values indicative of respective portions of the software module. 4. The method of claim 1 , wherein the digest comprises a SHA-1 hash indicative of the at least one portion. 5. The method of claim 1 , wherein verifying the digest comprises authenticating a cryptographic signature of the digest based on a cryptographic key of the developer. 6. The method of claim 5 , wherein authenticating the cryptographic signature of the digest comprises: calculating a cryptographic signature of the digest based on a public key of the developer; and comparing the calculated signature with the signature of the digest. 7. The method of claim 5 , wherein each profile comprises data indicative of at least one device identifier and authenticating the at least one requested entitlement comprises: authenticating the one or more profiles based on a cryptographic key of the trusted authority stored on the electronic device; comparing the at least one device identifier of the profile to a device identifier of the electronic device; and authenticating the at least one requested entitlement based on the comparing. 8. The method of claim 1 , wherein the at least one requested entitlement comprises at least one or more of an allow debugging entitlement, an allow trace entitlement, an allow access to address book data entitlement, or allow access to multimedia API entitlement. 9. A non-transient computer readable medium, comprising instructions that when executed by a processor of an electronic device, perform a method of: receiving, by a kernel executing in a trusted space of an operating system executing on the processor, a request to execute a software module stored on the electronic device, the software module created by a developer trusted to test software on the electronic device; communicating, by the kernel, data indicative of the software module to a policy service executing as a trusted process in an untrusted space of an operating system executing on the processor, the data indicative of the software module comprising at least one entitlement requested for executing the software module, and the policy service having been verified as trusted upon execution; obtaining, by the policy service, a digest generated from at least one portion of executable instructions for the software module, the digest signed by the developer; identifying, by the policy service, one or more profiles for the developer associated with the software module, the one or more profiles created and signed by a trusted authority and comprising data indicative of at least one entitlement permitted for executing software created by the developer; authenticating, by the policy service, the at least one requested entitlement based at least in part on verifying the at least one requested entitlement against the at least one permitted entitlement in the one or more identified profiles and verifying the digest; communicating, by the policy service, the at least one requested entitlement to the kernel; and executing, by the kernel, the software module on the processor based on the at least one requested entitlement. 10. The non-transient computer readable medium of claim 9 , wherein the software module comprises at least one of an application program and a shared library. 11. The non-transient computer readable medium of claim 9 , wherein the digest is generated based on a plurality of digest values indicative of respective portions of the software module. 12. The non-transient computer readable medium of claim 9 , wherein the digest comprises a SHA-1 hash indicative of the at least one portion. 13. The non-transient computer readable medium of claim 9 , wherein verifying the digest comprises authenticating a cryptographic signature of the digest based on a cryptographic key of the developer. 14. The non-transient computer readable medium of claim 13 , wherein authenticating the at least one entitlement comprises: calculating a cryptographic signature of the digest based on a public key of the developer; and comparing the calculated signature with the signature of the digest. 15. The non-transient computer readable medium of claim 13 , wherein each profile comprises data indicative of at least one device identifier and authenticating the at least one requested entitlement comprises: authenticating the one or more profiles based on a cryptographic key of the trusted authority stored on the electronic device; comparing the at least one device identifier of the profile to a device identifier of the electronic device; and authenticating the at least one requested entitlement based on the comparing. 16. The non-transient computer readable medium of claim 9 , wherein the at least one requested entitlement comprises at least one or more of an allow debugging entitlement, an allow trace entitlement, an allow access to address book data entitlement, or allow access to multimedia API entitlement. 17. A device comprising: a storage configured to: store a software module for execution on the device; and store at least one profile comprising at least one entitlement permitted for executing software created by a developer that created the software module, the at least one profile created and signed by a trusted authority and the developer trusted to test software on the device; and at least one processor configured to: receive, by a kernel executing in a trusted space of an operating system executing on the processor, a request to execute the software module; communicate, by the kernel, data indicative of the software module to a policy service executing as a trusted process in an untrusted space of an operat

Assignees

Inventors

Classifications

G06F21/51Primary
at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability · CPC title
G06F21/33
using certificates · CPC title
G06F21/50
Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems · CPC title
G06F21/53
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
G06F21/31
User authentication · CPC title

Patent family

Related publications grouped by family.

View patent family 40912001

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US9672350B2 cover?: Embodiments include systems and methods for authorizing software code to be executed or access capabilities in secure operating environments. Profiles may be issued by trusted entities to extend trust to other entities to allow those other entities to provide or control execution of applications in a secure operating environment such as on particular computing devices. The profiles allow entiti…
Who is the assignee on this patent?: De Atley Dallas, Panther Heiko, Adler Mitchell, and 4 more
What technology area does this patent fall under?: Primary CPC classification G06F21/51. Mapped technology areas include Physics.
When was this patent published?: Publication date Tue Jun 06 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).