111111
`
`(19) United States
`(12) Patent Application Publication
`Narin
`
`11111111111111111111111111111111111111111111111111111111111111
`US 20020002673Al
`
`(10) Pub. No.: US 2002/0002673 Al
`Jan. 3, 2002
`(43) Pub. Date:
`
`(54) SYSTEM AND METHOD FOR
`INTEGRATING SECURE AND NON-SECURE
`SOFTWARE OBJECTS
`
`(75)
`
`Inventor: Attila Narin, Bothell, WA (US)
`
`Publication Classification
`
`Int. CI? ....................................................... H04L 9/00
`(51)
`(52) U.S. CI. .............................................................. 713/152
`
`Correspondence Address:
`WOODCOCK WASHBURN KURTZ
`MACKIEWICZ & NORRIS LLP
`ATTENTION: STEVEN J. ROCCI, ESQ.
`ONE LIBERTY PLACE, 46TH FLOOR
`PHILADELPHIA, PA 19103 (US)
`
`(73)
`
`Assignee: Microsoft Corporation
`
`(21)
`
`Appl. No.:
`
`09/837,904
`
`(22)
`
`Filed:
`
`Apr. 19, 2001
`
`Related U.S. Application Data
`
`(63)
`
`Non-provisional of provisional application No.
`60/215,342, filed on Jun. 30, 2000.
`
`(57)
`
`ABSTRACT
`
`A secure first process uses a non-secure software object by
`hosting said non-secure software object in a separate second
`process, where the first process's address space is inacces(cid:173)
`sible to the second process. The first process communicates
`with the second process, preferably by means of a COM API
`that the second process exposes to the first process. The
`application that runs in the second process may expose APIs
`of the hosted non-secure object to the first process, and the
`first process may communicate with the non-secure object
`hosted in the second process through this API. In a preferred
`embodiment, the second process renders its output in a child
`window of the first process, so that the use of a second
`process to host non-secure software objects is transparent to
`a user of the first process.
`
`PROCESS 310
`
`I
`SECURE APPLICATION 312
`
`------------------------
`SOFTWARE OBJECT
`314
`------------------------
`
`PROCESS 320
`
`HOSTING
`APPLICATION 324
`
`•
`
`API 328
`
`COM
`OBJECT 326
`
`NON-SECURE
`SOFTWARE OBJECT
`322
`
`Google - Exhibit 1008, page 1
`
`Google - Exhibit 1008, page 1
`
`

`
`f-SJ~t~~ ~.:~~r~ U 30
`-----------------------------------------------------I ·I~~
`I
`BIOS ml
`~o
`
`Output
`Peripheral
`Interface 195
`
`t
`t
`
`!
`
`Monitor 191
`
`I
`I
`I
`I
`
`.I
`1
`
`.I
`-I
`
`Printer 1961
`
`Speakers 1971
`
`i
`
`j I
`1
`
`Computer 100
`
`(ROM) 131
`
`- - - - - ,
`
`f-(RAM) 132
`
`i
`
`Operating
`System 134
`
`Application
`Programs ~
`
`Other Program
`Modules 136
`
`Program
`Data
`
`I
`
`137
`
`Processing
`Unit
`
`120
`
`Video
`Interface
`190
`
`TSvstem Bus 121
`~
`.1.
`Removable
`Non-Volatile
`Memory
`Inte~ace 15~
`
`Non-Removable
`Non-Volatile
`Memory
`Interface 140
`
`User Input
`Interface
`
`160
`
`Network
`Interface
`'--___ 1_7--'0 I :
`
`1
`
`Local Area
`Network
`
`1
`1
`1
`- __ - _____ 1
`
`- ___ ._ -
`
`-
`
`1;;
`. MOdt!: Wde:=:;:iL
`II~D~ 72
`I ~~~.~?~~~ I
`
`OPERATING APPLICATION P~6~~M PROGRAM
`SYSTEM
`PROGRAMS
`MODS
`DATA
`144
`145
`·146
`147
`
`Mouse
`161
`
`Keyboard 162
`
`COMPUTER
`180
`
`FIG. 1
`
`REMOTE
`APPLICATION
`PROGRAMS ~
`
`Google - Exhibit 1008, page 2
`
`/")
`
`~ .....
`
`""C
`~ .....
`~ = .....
`~
`'t:I -....
`.... o =
`~
`0--....
`.... o =
`
`/")
`
`~ .....
`
`~
`~
`?
`~~
`N
`C
`C
`N
`
`'JJ. =(cid:173)~
`~ .....
`'""'" o ....,
`
`Ul
`
`Cj
`'JJ.
`N
`C
`C
`~
`C
`C
`C
`N
`0'1
`;;!
`>
`'""'"
`
`Google - Exhibit 1008, page 2
`
`

`
`Patent Application Publication
`
`Jan. 3, 2002 Sheet 2 of 5
`
`US 2002/0002673 Al
`
`COMPUTER 110
`
`MEMORY
`~---. (e.g., hard
`disk 141)
`
`MEMORY
`~---. (e.g., RAM
`132)
`
`r.
`----.,
`
`ADDRESS
`SPACE
`212
`
`PROCESS 210
`
`I OBJECT 213 1
`I OBJECT 2141
`
`OPERATING
`SYSTEM 134
`-
`
`!
`\ PROCESS 220
`
`MEMORY
`~---. (e.g., hard
`disk 141)
`
`MEMORY
`~---. (e.g., RAM
`132)
`
`I OBJECT 223 1
`I OBJECT 2241
`
`ADDRESS
`~
`---. SPACE
`222
`
`FIG. 2
`
`Google - Exhibit 1008, page 3
`
`Google - Exhibit 1008, page 3
`
`

`
`Patent Application Publication
`
`Jan. 3, 2002 Sheet 3 of 5
`
`US 2002/0002673 Al
`
`0
`N
`M
`en
`en
`W
`CJ
`0
`0::
`o..
`
`(!) oq
`z N
`M
`t-Z
`U)o
`0-
`J:~
`CJ
`:::::i
`Il.
`0..
`«
`
`,.
`
`~I
`:Zt-
`OCJ
`0.. OW
`""')
`c:(
`III
`0
`
`~I
`
`t-
`CJ
`WW
`0::""')
`~~
`OWNI
`Wo::N
`UJ«M
`Z;:
`01-
`Zu.
`0
`en
`
`0
`~
`M
`U)
`U)
`W
`
`~
`0::
`0..
`
`N
`'"""
`M
`Z
`Q
`~
`CJ
`:J
`a.
`Il.
`<C
`'-- W
`0::
`~
`
`CJ w en
`
`l-
`I CJ
`I W
`""')
`III
`0
`Woql
`o::~
`c:(M
`
`I
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`
`... ---------
`
`---------,
`
`~
`u.
`0 en
`
`G o
`
`o
`gl
`e
`
`hiEi
`-
`
`bt
`
`x ,0081
`
`pa
`
`ge
`4
`
`Google - Exhibit 1008, page 4
`
`

`
`Patent Application Publication
`
`Jan. 3, 2002 Sheet 4 of 5
`
`US 2002/0002673 Al
`
`402
`
`404
`
`406
`
`408
`
`410
`
`412
`
`BEGIN
`
`SECURE APPLICATION
`RUNS IN FIRST
`PROCESS
`
`HOSTING APPLICATION
`STARTS IN SECOND
`PROCESS
`
`HOSTING APPLICATION
`HOSTS NON-SECURE
`SOFTWARE OBJECT
`
`SECURE APPLICATION
`COMMUNICATES WITH
`HOSTING APPLICATION
`
`NON-SECURE
`SOFTWARE OBJECT
`PERFORMS ACTIONS
`WITH SECURE
`APPLICATION
`
`SECURE APPLICATION
`IS TERMINATED AND
`ALSO TERMINATES
`HOSTING APPLICATION
`
`FIG. 4
`
`Google - Exhibit 1008, page 5
`
`Google - Exhibit 1008, page 5
`
`

`
`Patent Application Publication
`
`Jan. 3, 2002 Sheet 5 of 5
`
`US 2002/0002673 Al
`
`- - -
`-
`-
`-
`-
`lif -
`The following stores and companies provide reading
`material for the Microsoft Reader. Click the "Add"
`button to add items to your Bookstore.
`
`Barnes 81: Noble.com
`~M~\~ Microsoft Reader eBookstore
`
`List of all Bookstores
`
`509
`
`500
`
`J
`
`502
`
`Dansk Deutsch English Espanol Francais
`~ PurlLlYu~~ (Br-d::.il) SVI:::!!II::.kd
`
`506
`
`504
`
`502
`
`FIG. 5
`
`Google - Exhibit 1008, page 6
`
`Google - Exhibit 1008, page 6
`
`

`
`US 2002/0002673 Al
`
`Jan. 3,2002
`
`1
`
`SYSTEM AND METHOD FOR INTEGRATING
`SECURE AND NON-SECURE SOFTWARE
`OBJECTS
`
`CROSS-REFERENCE TO RELATED CASES
`
`[0001] This application claims the benefit of U.S. Provi(cid:173)
`sional Application Serial No. 60/215,342, entitled "Method
`and System for Using Open Platforms in Applications
`Employing a Digital Rights Management System," filed on
`Jun. 30, 2000.
`
`FIELD OF THE INVENTION
`
`[0002] The present invention relates generally to the field
`of computer security. More particularly, the invention pro(cid:173)
`vides a system and method for using secure and non-secure
`software objects together, without compromising the secure
`object's ability to protect itself and the data on which it
`operates.
`
`BACKGROUND OF THE INVENTION
`[0003] Many applications handle protected content, such
`as copyrighted text, audio, video, etc., that is protected by a
`digital rights management system. Typically, the protection
`of content is achieved by encrypting the content and allow(cid:173)
`ing it to be decrypted and handled in clear-text form only by
`trusted applications. "Trust" of an application is generally
`established by incorporating security measures into the
`application (e.g., encrypted code, integrity checks, obfus(cid:173)
`cated cryptographic keys, etc.), and executing the trusted
`application in its own process so that the data handled by the
`trusted application is not available to other processes.
`
`[0004] While isolating a trusted application in its own
`process provides excellent protection for the trusted content,
`doing so deprives the application of one of the benefits of
`executing on an open platform: the ability to integrate with
`other applications running on the same platform. Typically,
`when a first application needs to use some capability avail(cid:173)
`able in a second application, the first application will simply
`run the separate application within its own process. For
`example, the designers of an application may wish to
`provide a limited form of web browsing capability within
`their application. Rather than re-invent the wheel by writing
`browser capability into the program from scratch, the
`designers may allow the application to run a browser (such
`as the INTERNET EXPLORER browser) in the same pro(cid:173)
`cess. However, if the application is trusted, running a
`browser "in-proc" may subvert the security scheme of the
`trusted application. The browser code may not be secure to
`the same extent as the trusted application. Even if the
`browser code itself is secure, the browser provides the
`capability to import executable code from other sources that
`may not be trusted. If trust is to be maintained, executable
`code from unknown sources cannot be given access to the
`address space of the trusted application and therefore cannot
`be run in process.
`
`In view of the foregoing, there is a need for a
`[0005]
`technique for integrating general-purpose application with
`trusted applications that overcomes the drawbacks of the
`prior art.
`
`SUMMARY OF THE INVENTION
`[0006] The present invention provides a technique for
`integrating untrusted or "open" features into a "closed"
`
`process. In accordance with the invention, an open or
`untrusted application is run in a separate, auxiliary process
`from the closed or protected application. The auxiliary
`process is creating by running a "hosting" application that
`has minimal functionality-just enough to be able to host an
`application and to communicate with the closed process. The
`auxiliary process is started by the closed process; the closed
`process controls the lifetime of the auxiliary process and
`terminates it when the open features that it provides are no
`longer necessary.
`
`In a preferred embodiment, the trusted or closed
`[0007]
`application is a rendering application that incorporates digi(cid:173)
`tal rights management functionality to protect copyrighted
`content. Such an application may include a limited web(cid:173)
`browsing service (such as the integrated shopping feature
`described in U.S. Provisional Application No. 60/215,488,
`entitled "Integrated Bookstore," filed on Jun. 30, 2000),
`which is performed on behalf of the rendering application by
`the INTERNET EXPLORER browser. The rendering appli(cid:173)
`cation starts an application called "browser _ host.exe" in a
`separate process. browser _ host.exe contains sufficient func(cid:173)
`tionality to host the INTERNET EXPLORER browser, and
`also exposes a high-level interface to communicate with the
`closed application (e.g., via COM, WINDOWS messaging,
`etc.), and also provides a way to expose interfaces of the
`hosted browser. Preferably, a child window of the rendering
`application is created, and the browser _ host.exe process
`renders its output into this window. Since the child window
`is in the same display location as the main window of the
`rendering application, it appears to the user as if the web
`browsing functionality is being provided by the rendering
`application. The user is unaware that the web browsing
`functionality is being provided by a separate program run(cid:173)
`ning within a separate process.
`
`[0008] Other features of the invention are described
`below.
`BRIEF DESCRIPTION OF THE DRAWINGS
`[0009] The foregoing summary, as well as the following
`detailed description of preferred embodiments, is better
`understood when read in conjunction with the appended
`drawings. For the purpose of illustrating the invention, there
`is shown in the drawings exemplary constructions of the
`invention; however, the invention is not limited to the
`specific methods and instrumentalities disclosed. In the
`drawings:
`[0010] FIG. 1 is a block diagram of an exemplary com(cid:173)
`puting environment in which aspects of the invention may
`be implemented;
`[0011] FIG. 2 is a block diagram of a plurality of pro(cid:173)
`cesses having separate address spaces;
`[0012] FIG. 3 is a block diagram of separate secure and
`non-secure processes in accordance with aspects of the
`invention;
`[0013] FIG. 4 is a flow diagram of an exemplary method
`whereby a secure application running in a first process
`invokes a non-secure software object in a second process;
`and
`[0014] FIG. 5 is a diagram of spatially coinciding win(cid:173)
`dows which are used to render the output of secure and
`non-secure applications, respectively, in accordance with
`aspects of the invention.
`
`Google - Exhibit 1008, page 7
`
`Google - Exhibit 1008, page 7
`
`

`
`US 2002/0002673 Al
`
`Jan. 3,2002
`
`2
`
`DETAILED DESCRIPTION OF IRE
`INVENTION
`
`[0015] Overview
`[0016]
`In a world where computers are increasingly called
`upon to handle secure or sensitive information, there is a
`tension between trusted applications and "open" applica(cid:173)
`tions. Trusted applications typically provide a circumscribed
`set of functions that cannot be extended by a user, which
`means that such applications can be trusted to handle
`sensitive content in predictable ways. Open applications, on
`the other hand, provide a wide range of functionality that is,
`in some cases, user expandable-some open applications,
`such as browsers, can execute code that is user-implemented
`or imported from other sites on the Internet. However, the
`very flexibility that makes open applications useful in a wide
`variety of situations also makes them inappropriate for
`handling sensitive information. An open application may
`import code that could subvert the security scheme designed
`to protect whatever sensitive information the open applica(cid:173)
`tion might be handling. However, it is sometimes useful to
`package the functions of an open application together with
`those of a secure application. For example, it may be useful
`for a secure content-rendering application (e.g., one that
`renders copyrighted material) to provide a feature that
`allows the user to shop for copyrighted material with a web
`browser. The present invention provides a technique that
`allows the functions of a secure application to be integrated
`with those of an open application.
`[0017] Exemplary Computing Environment
`[0018] FIG. 1 illustrates an example of a suitable com(cid:173)
`puting system environment 100 in which the invention may
`be implemented. The computing system environment 100 is
`only one example of a suitable computing environment and
`is not intended to suggest any limitation as to the scope of
`use or functionality of the invention. Neither should the
`computing environment 100 be interpreted as having any
`dependency or requirement relating to anyone or combina(cid:173)
`tion of components illustrated in the exemplary operating
`environment 100.
`[0019] The invention is operational with numerous other
`general purpose or special purpose computing system envi(cid:173)
`ronments or configurations. Examples of well known com(cid:173)
`puting systems, environments, and/or configurations that
`may be suitable for use with the invention include, but are
`not limited to, personal computers, server computers, hand(cid:173)
`held or laptop devices, multiprocessor systems, micropro(cid:173)
`cessor-based systems, set top boxes, programmable con(cid:173)
`sumer electronics, network PCs, minicomputers, mainframe
`computers, distributed computing environments that include
`any of the above systems or devices, and the like.
`[0020] The invention may be described in the general
`context of computer-executable instructions, such as pro(cid:173)
`gram modules, being executed by a computer. Generally,
`program modules include routines, programs, objects, com(cid:173)
`ponents, data structures, etc. that perform particular tasks or
`implement particular abstract data types. The invention may
`also be practiced in distributed computing environments
`where tasks are performed by remote processing devices that
`are linked through a communications network or other data
`transmission medium. In a distributed computing environ(cid:173)
`ment, program modules and other data may be located in
`both local and remote computer storage media including
`memory storage devices.
`
`[0021] With reference to FIG. 1, an exemplary system for
`implementing the invention includes a general purpose
`computing device in the form of a computer 110. Compo(cid:173)
`nents of computer 110 may include, but are not limited to,
`a processing unit 120, a system memory 130, and a system
`bus 121 that couples various system components including
`the system memory to the processing unit 120. The system
`bus 121 may be any of several types of bus structures
`including a memory bus or memory controller, a peripheral
`bus, and a local bus using any of a variety of bus architec(cid:173)
`tures. By way of example, and not limitation, such archi(cid:173)
`tectures include Industry Standard Architecture (ISA) bus,
`Micro Channel Architecture (MCA) bus, Enhanced ISA
`(EISA) bus, Video Electronics Standards Association
`(VESA) local bus, and Peripheral Component Interconnect
`(PCI) bus (also known as Mezzanine bus).
`
`[0022] Computer 110 typically includes a variety of com(cid:173)
`puter readable media. Computer readable media can be any
`available media that can be accessed by computer 110 and
`includes both volatile and nonvolatile media, removable and
`non-removable media. By way of example, and not limita(cid:173)
`tion, computer readable media may comprise computer
`storage media and communication media. Computer storage
`media includes both volatile and nonvolatile, removable and
`non-removable media implemented in any method or tech(cid:173)
`nology for storage of information such as computer readable
`instructions, data structures, program modules or other data.
`Computer storage media includes, but is not limited to,
`RAM, ROM, EEPROM, flash memory or other memory
`technology, CDROM, digital versatile disks (DVD) or other
`optical disk storage, magnetic cassettes, magnetic tape,
`magnetic disk storage or other magnetic storage devices, or
`any other medium which can be used to store the desired
`information and which can accessed by computer 110.
`Communication media typically embodies computer read(cid:173)
`able instructions, data structures, program modules or other
`data in a modulated data signal such as a carrier wave or
`other transport mechanism and includes any information
`delivery media. The term "modulated data signal" means a
`signal that has one or more of its characteristics set or
`changed in such a manner as to encode information in the
`signal. By way of example, and not limitation, communi(cid:173)
`cation media includes wired media such as a wired network
`or direct-wired connection, and wireless media such as
`acoustic, RF, infrared and other wireless media. Combina(cid:173)
`tions of any of the above should also be included within the
`scope of computer readable media.
`
`[0023] The system memory 130 includes computer stor(cid:173)
`age media in the form of volatile and/or nonvolatile memory
`such as read only memory (ROM) 131 and random access
`memory (RAM) 132. A basic input/output system 133
`(EI OS), containing the basic routines that help to transfer
`information between elements within computer 110, such as
`during start-up, is typically stored in ROM 131. RAM 132
`typically contains data and/or program modules that are
`immediately accessible to and/or presently being operated
`on by processing unit 120. By way of example, and not
`limitation, FIG. 1 illustrates operating system 134, applica(cid:173)
`tion programs 135, other program modules 136, and pro(cid:173)
`gram data 137.
`
`[0024] The computer 110 may also include other remov(cid:173)
`able/non-removable, volatile/nonvolatile computer storage
`media. By way of example only, FIG. 1 illustrates a hard
`
`Google - Exhibit 1008, page 8
`
`Google - Exhibit 1008, page 8
`
`

`
`US 2002/0002673 Al
`
`Jan. 3,2002
`
`3
`
`disk drive 140 that reads from or writes to non-removable,
`nonvolatile magnetic media, a magnetic disk drive 151 that
`reads from or writes to a removable, nonvolatile magnetic
`disk 152, and an optical disk drive 155 that reads from or
`writes to a removable, nonvolatile optical disk 156, such as
`a CD ROM or other optical media. Other removable/non(cid:173)
`removable, volatile/nonvolatile computer storage media that
`can be used in the exemplary operating environment
`include, but are not limited to, magnetic tape cassettes, flash
`memory cards, digital versatile disks, digital video tape,
`solid state RAM, solid state ROM, and the like. The hard
`disk drive 141 is typically connected to the system bus 121
`through an non-removable memory interface such as inter(cid:173)
`face 140, and magnetic disk drive 151 and optical disk drive
`155 are typically connected to the system bus 121 by a
`removable memory interface, such as interface 150.
`
`[0025] The drives and their associated computer storage
`media discussed above and illustrated in FIG. 1, provide
`storage of computer readable instructions, data structures,
`program modules and other data for the computer 110. In
`FIG. 1, for example, hard disk drive 141 is illustrated as
`storing operating system 144, application programs 145,
`other program modules 146, and program data 147. Note
`that these components can either be the same as or different
`from operating system 134, application programs 135, other
`program modules 136, and program data 137. Operating
`system 144, application programs 145, other program mod(cid:173)
`ules 146, and program data 147 are given different numbers
`here to illustrate that, at a minimum, they are different
`copies. A user may enter commands and information into the
`computer 20 through input devices such as a keyboard 162
`and pointing device 161, commonly referred to as a mouse,
`trackball or touch pad. Other input devices (not shown) may
`include a microphone, joystick, game pad, satellite dish,
`scanner, or the like. These and other input devices are often
`connected to the processing unit 120 through a user input
`interface 160 that is coupled to the system bus, but may be
`connected by other interface and bus structures, such as a
`parallel port, game port or a universal serial bus (USB). A
`monitor 191 or other type of display device is also connected
`to the system bus 121 via an interface, such as a video
`interface 190. In addition to the monitor, computers may
`also include other peripheral output devices such as speakers
`197 and printer 196, which may be connected through an
`output peripheral interface 190.
`
`[0026] The computer 110 may operate in a networked
`environment using logical connections to one or more
`remote computers, such as a remote computer 180. The
`remote computer 180 may be a personal computer, a server,
`a router, a network PC, a peer device or other common
`network node, and typically includes many or all of the
`elements described above relative to the computer 110,
`although only a memory storage device 181 has been
`illustrated in FIG. 1. The logical connections depicted in
`FIG. 1 include a local area network (LAN) 171 and a wide
`area network (WAN) 173, but may also include other
`networks. Such networking environments are commonplace
`in offices, enterprise-wide computer networks, intranets and
`the Internet.
`
`[0027] When used in a LAN networking environment, the
`computer 110 is connected to the LAN 171 through a
`network interface or adapter 170. When used in a WAN
`typically
`the computer 110
`networking environment,
`
`includes a modem 172 or other means for establishing
`communications over the WAN 173, such as the Internet.
`The modem 172, which may be internal or external, may be
`connected to the system bus 121 via the user input interface
`160, or other appropriate mechanism. In a networked envi(cid:173)
`ronment, program modules depicted relative to the computer
`110, or portions thereof, may be stored in the remote
`memory storage device. By way of example, and not limi(cid:173)
`tation, FIG. 1 illustrates remote application programs 185 as
`residing on memory device 181. It will be appreciated that
`the network connections shown are exemplary and other
`means of establishing a communications link between the
`computers may be used.
`
`[0028] Separation of Processes
`
`[0029] Operating system 134 provides an environment in
`which software objects on computer 110 may execute. One
`aspect of the environment provided by operating system 134
`is a facility for creating and managing separate processes.
`Each process provides, among other things, a block of
`memory that is accessible from within the process, but that
`is not accessible to other processes. In general, plural
`processes can run concurrently within the same environ(cid:173)
`ment.
`
`[0030] FIG. 2 shows the exemplary case of two processes
`running concurrently within the same environment on com(cid:173)
`puter 110. Process 210 is associated with an address space
`212. Address space 212 defines a block of memory that can
`be accessed (i.e., read or written) from within process 210.
`Address space 212 may comprise a fixed block of physical
`memory locations on a physical memory device (e.g., RAM
`132). Alternatively, address space 212 may comprise a block
`of "virtual memory," wherein the contents of address space
`212 are stored across (and copied back and forth between)
`various physical devices (e.g., hard disk 141 and RAM 132)
`in a manner determined by operating system 134. Virtual
`memory is known in the art, and is thus not described at
`length herein.
`
`[0031] Software objects 213 and 214 may access memory
`locations in address space 212. Software objects 213 and
`214 may use address space 212 to store or retrieve any type
`of data-e.g., data used or generated during operation of
`software objects 213 and 214, data that is being buffered for
`input or output, data that is being exchanged between
`software objects 213 and 214, etc. Additionally, the code for
`software objects 213 and 214 is generally stored in address
`space 212 while those software objects are executing within
`process 210.
`
`[0032] Process 220 is associated with an address space
`222 separate from address space 212. Address space 222
`defines a block of memory that can be accessed from within
`process 220. Address space 222 may comprise physical or
`virtual memory. Software objects 223 and 224, which
`execute within process 220, may access memory locations in
`address space 222.
`
`[0033] A significant feature of address spaces 212 and 222
`is that they are accessible only from within the respective
`processes 210 and 220 with which they are associated. Thus,
`software objects 213 and 214 cannot access memory loca(cid:173)
`tions in address space 222 because they do not execute
`within process 220. Likewise, software objects 223 and 224
`cannot access memory locations in address space 212
`
`Google - Exhibit 1008, page 9
`
`Google - Exhibit 1008, page 9
`
`

`
`US 2002/0002673 Al
`
`Jan. 3,2002
`
`4
`
`because they do not execute within process 210. Typically,
`this segregation of address spaces 211 and 212 is provided
`by operating system 134. For example, operating system 134
`may keep track of the current execution "context" (i.e.,
`which process is presently executing), and operating system
`134 may refuse to read or write memory locations that have
`been allocated to the address space of a process other than
`the process that is currently executing. This method of
`segregation, however, is merely exemplary; one process
`may maintain data in any manner such that the data is
`relatively inaccessible to other processes, without departing
`from the spirit and scope of the invention.
`
`[0034] Use of a Secure Process with a Non-Secure Soft(cid:173)
`ware Object
`
`[0035] FIG. 3 shows a secure application which uses a
`non-secure software object to perform an action or provide
`a service. Secure application 312 runs inside process 310.
`Application 312 is "secure" in the sense that it includes some
`type of defense against observation or modification. For
`example, secure application 312 may be an application that
`renders encrypted content, and which prevents or deters a
`user from learning the decryption key used to decrypt the
`content, or from copying the decrypted content itself. Typi(cid:173)
`cally, secure application 312 is relied upon by some system
`(e.g., a digital rights management system, or the participants
`therein) to behave in a predictable way (e.g., the distributors
`of content in a digital rights management system may rely on
`secure application 312 to render content only when permit(cid:173)
`ted by the terms of a license). Secure application 312 may,
`optionally, host a software object 314.
`
`[0036] Secure application 312 uses non-secure software
`object 322 to perform an action or provide a service that is
`not directly implemented within application 312. Non-se(cid:173)
`cure software object 322 is "non-secure" in the sense that its
`behavior cannot be relied upon; for example, non-secure
`software object may be a program that imports and runs
`arbitrary code from a remote, non-authenticatable (possibly
`nefarious) source. A web browser is an example of such a
`non-secure software object 322, because it retrieves and
`executes scripts from remote locations that mayor may not
`be trustworthy. As an example, application 312 may provide
`some type of web browsing capability to its user, but, rather
`than performing the actual web browsing functions itself,
`application 312 may call upon a general-purpose browsing
`program to perform the web browsing. In this exemplary
`case, non-secure software object 322 is such a web browsing
`program.
`
`[0037] Hosting application 324 runs within process 320.
`Process 320 is separate from process 310. Hosting applica(cid:173)
`tion 324 preferably contains minimal functionality; in one
`example, hosting application 324 contains just enough func(cid:173)
`tionality to communicate with secure application 312 and to
`provide Object Linking and Embedding (OLE) container
`and hosting support so
`that OLE/COM objects (e.g.,
`ActiveX controls, etc.) can be instantiated and managed. In
`a preferred embodiment, hosting application 324 provides a
`COM object 326 which exposes API 328, and secure appli(cid:173)
`cation 312 communicates with hosting application 324
`through API 328. (That is, secure application 312 commu(cid:173)
`nicates with hosting application 324 by calling various
`methods on API 328.) It will be understood, however, that
`this means of communication is merely exemplary, and
`
`secure application 312 may also communicate with hosting
`application 328 by other means (e.g., a messaging protocol,
`etc.) without departing from the spirit and scope of the
`invention.
`[0038]
`In the exemplary case where hosting application
`324 provides communication through COM object 326 and
`API 328, the API may provide a high-level interface which
`controls aspects of object hosting (e.g., the object's lifetime,
`whether the object is visible or invisible, etc.). The API may
`also provide a way to expose interfaces of the hosted object
`(e.g., non-secure software object 322). Additionally, COM
`object 326 may allow secure application 312 to receive
`events from non-secure object 322.
`It should be understood that, to the extent that
`[0039]
`secure application 312 is, in fact, "secure," its security is not
`compromised by allowing it to communicate with hosting
`application 324. That is, neither hosting application 324, nor
`the non-secure object 322 that hosting application 324 hosts,
`has access to the address space of process 310. Thus,
`non-secure object 322 cannot inject rogue or hostile code
`into process 310. It should also be understood that secure
`application 312 is only as secure as the means used to protect
`it. There may be security "holes" in secure application 312
`that allow an attacker of nefarious intent to subvert whatever
`"security" is provided by secure application 312. For
`example, secure application 312 may include integrity
`checks, code obfuscation, etc., or other "soft" security
`techniques in order to protect secure application 312 from
`observation or modification; all of these security measures
`can be broken with sufficient time and effort. However, using
`a separate process 320 to run non-secure software object
`322"protects" secure application 312 from non-secure soft(cid:173)
`ware object 322 in the sense that non-secure software object
`322 is not given direct access to process 310's address space
`that might be used to subvert the protection scheme of secure
`application 310.
`[0040] FIG. 4 shows an exemplary method by which a
`secure application invokes a non-secure software object in a
`separate process. At step 402, a secure application (e.g.,
`secure application 312, shown in FIG. 3), starts in a first
`process (e.g., process 310). At step 404, a hosting applica(cid:173)
`tion (e.g., hosting application 324) is started in a second
`process (e.g., process 320). Preferably, the secure applica(cid:173)
`tion starts the hosting application, although this need not be
`the case. For example, there may be a startup routine that
`starts the secure application in a first process, a