Softvault Systems v. Symantec

8/2/2019 Softvault Systems v. Symantec

1/51

1234567891011

1' 1213141516

171819202122232425262728

ALISA LIPSKI (State Bar No. 278710)EDWARD GOLDSTEIN (Pro Hac Vice To Be Filed)GOLDSTEIN & LIPSKI, PLLC1177 West Loop South, Suite 400Houston, TX 77027Telephone: (713) 877-1515Facsimile: (713) 877-1737Email: [email protected]: egoldstein@gliplaw comJONATHAN T. SUDER (Pro Hac Vice To Be Filed)CORBY R. VOWELL (Pro Hac Vice To Be Filed)TODD I. BLUMENFELD (Pro Hac Vice To Be Filed)FRIEDMAN, SUDER & COOKETindall Square Warehouse No. 1604 East 4th Street, Suite 200Fort Worth, Texas 76102Telephone: (817) 334-0400Facsimile: (817) 334-0401Email: [email protected]: [email protected]: [email protected] for PlaintiffSOFTV AULT SYSTEMS, INC.

UNITED STATES DISTRICT COURTNORTHERN DISTRICT OF CALIFORNIA

SAN JOSE DIVISION

SOFTV AUL T SYSTEMS, INC.Plaintiff,vs.

SYMANTEC CORPORATION,Defendant.

C V 1.,..., .......CASE NO.

COMPLAINT FOR INFRINGEMEN IOF U.S. PATENT NOS. 6,249,868 AN6,594,765JURY TRIAL DEMANDED

COMPLAINT FOR PATENT INFR GEMENT


2/51

123456789

101112131415

Plaintiff SOFTY AULT SYSTEMS, INC. files its Complaint against De ndantSYMANTEC CORPORATION, alleging as follows:

THE PARTIES1. Plaintiff SOFTY AUL T SYSTEMS, INC. ("SOFTYAULT") is a co

organized and existing under the laws of the State of Washington with its principlebusiness in the State ofWashington.

2. Upon information and belief, SYMANTEC CORPORATION ("DEFEN T")Iis a corporation organized and existing under the laws of the State ofDelaware, with its p 'ncipalplace of business in Mountain View, California. Defendant may be served with processits registered agent Corporation Service Company dba DSC - Lawyers Incorporating2730 Gateway Oaks Drive, Suite 100, Sacramento, CA 95833.

JURISDICTION AND VENUE3. This is an action for infringement ofUnited States patents. This Court has,:

exclusive jurisdiction of such action under Title 28 U.S.C. 1338(a). lrI,,

4. Upon information and belief, Symantec is subject to personal jurisdictio16 Court. Symantec has committed such purposeful acts and/or transactions in the tate of17 California that it reasonably knew and/or expected that it could be hailed into a Califo1819202122232425262728

as a future consequence of such activity. Symantec makes, uses, and/or sells infringing . oductswithin the Northern District of California and has a continuing presence and theminimum contacts with the Northern District of California where Defendant resides, s 'ch thatIthis venue is a fair and reasonable one. Upon information and belief, Symantec has tr 1 sactedand, at the time of the filing of this Complaint, is continuing to transact business w hin theNorthern District ofCalifornia. For all of these reasons, personal jurisdiction exists and :enue isproper in this Court under 28 U.S.C. 1391(b)(1), (2) and (c)(2) and 28 U.S.C. 1400(,).

5. SoftVault has previously filed a lawsuit asserting the Patents-in-Suit (d med inliparagraph 8 below) against Sybase, Inc. in this District. That case, styled Soft Vault Syst 'ms, Inc.

v. Sybase, Inc., Case No. 12-cv-01099 LHK, is currently pending in the San Jose Divisi, n. TheIpresent action has been designated as a related case. 'ICOMPLAINT FOR PATENT INFR GEMEN!

1


3/51

123456789

10111213141516

PATENTS-IN-SUIT6. On June 19, 2001, United States Patent No. 6,249,868 BI ("the '868 Paten ')was

I

duly and legally issued for "METHOD AND SYSTEM FOR EMBEDDED, AUTOM . TED,I

COMPONENT -LEVEL CONTROL OF COMPUTER SYSTEMS AND OTHER CO PLEX'SYSTEMS." A true and correct copy of the '868 Patent is attached hereto as Exhibit/iA andI'made a part hereof. !

7. On July 15, 2003, United States Patent No. 6,594,765 B2 (''the '765 Pate 1t" wasduly and legally issued for "METHOD AND SYSTEM FOR EMBEDDED, AUTOM TED,COMPONENT-LEVEL CONTROL OF COMPUTER SYSTEMS AND OTHER COSYSTEMS." A true and correct copy of the '765 Patent is attached hereto as Exhibi B andmade a part hereof.

8. The '868 Patent and the '765 Patent are sometimes referred to herein coll ctivelyiiIas "the Patents-in-Suit." /:,I;

9. As it pertains to this lawsuit, the Patents-in-Suit, very generally speaking, blate toI)a method and system of protecting electronic, mechanical, and electromechanical devi ' es and

systems, such as for example a computer system, and their components and softw ,e from!

17 unauthorized use. Specifically, certain claims of the '868 and '765 Patents disc se the1819202122232425262728

utilization of embedded agents within system components to allow for the enable . ent ordisablement of the system component in which the agent is embedded. The invention d sclosed

IIin the Patents-in-Suit discloses a server that communicates with the embedded agent thr , gh the'use of one or more handshake operations to authorize the embedded agent. When the e 'bedded

agent is authorized by the server, it enables the device or component, and when not athe embedded agent disables the device or component.

FIRST CLAIM FOR RELIEF(Patent Infringement)

10. SoftVault repeats and realleges every allegation set forth above.

COMPLAINT FOR PATENT INF GEMENT2


4/51

12345678

11. SoftVault is the owner of the Patents-in-Suit with the exclusive right to pforcethe Patents-in-Suit against infringers, and collect damages for all relevant times, includ pg theright to prosecute this action.

12.iIUpon information and belief, Symantec is liable under 35 U.S.C. 271 a) foridirect infringement of the Patents-in-Suit because it manufactures, makes, has mad 1 uses,I

practices, imports, provides, supplies, distributes, sells, and/or offers for sale products land/orsystems that practice one or more claims of the Patents-in-Suit.

13. More specifically, Symantec infringes the Patents-in-Suit beca ' se it9 manufactures, makes, has made, uses, practices, imports, provides, supplies, distribute ,' sells,

10 and/or offers for sale products and systems which prevent unauthorized use of a computer ~ y s t e m11 through the ability to enable or disable the operation of a device's components t h r ~ : gh an

I12 authorization process performed by an embedded agent in the component device and a se I er.13 14. By way of example only, Symantec's "Mobile Management" system 1!(which14 includes a "Mobile Management Server," the "Symantec Management Platform," a "S antec15 Management Console," and a "Mobile Management Agent") has, at a minimum, in16 directly infringed and continues to directly infringe at least Claims 1 and 44 of the '8617 as well as at least Claim 9 of the '765 Patent.18 15. Symantec's "Mobile Management" system includes the capability to e able or19 disable a mobile device, such as a laptop or smart phone. The "Mobile Management' system20 includes a "Mobile Management Agent" that operates on the mobile device and comm icates 21 with the "Mobile Management Server", which is also part of the "Mobile Management' system22 through authentication software included in the "Mobile Management Agent.", This23 communication includes a series of message exchanges constituting a h ' dshake2425262728

operation between the "Mobile Management Server" and the "Mobile Management ;Agent."Through this communication, the "Mobile Management Server" can authenticate and au . orize adevice in which the "Mobile Management Agent" is embedded. When the "Mobile Man gement

IAgent" is authorized by the "Mobile Management Server," the mobile device operates ormally

COMPLAINT FOR PATENT INFR GEMENT3


5/51

123456789

1011121314

and when the "Mobile Management Agent" is not authorized, the mobile device is re . otelylocked and disabled.

16. In addition, all Symantec products which include its product activationhave, at a minimum, in the past directly infringed and continue to directly infringe at leas44 of the '868 Patent, as well as at least Claim 11 of the '765 Patent. These infringing p,include, but are not limited to, Nortonbrand software products such as Norton 360,AntiVirus and Norton Internet Security, as well as Symantec Enterprise and Small B' sinesssoftware products such as Endpoint Protection and Backup Exec.

17. Symantec includes the product activation features in its software applica ~ o n s toenforce licensing policies and ensure that only authorized copies of Symantec software , ay beinstalled and used on a computer. The product activation feature requires that the i stalledSymantec application communicate with a Symantec license server over the Internet to 1 ctivate

i:(or enable) the application. Upon installation of a Symantec application, the product ac ivationfeature prompts a user to activate the application by entering in a product key. The licens ' server

15 exchanges messages constituting a handshake operation with the product activation feat in the161718192021

application, which include the product key and an indication for the computer's hard,, re andsoftware configuration, to determine whether the license for the application is valid. en theIIproduct activation feature is authorized by the license server, it enables the application i which

I

it is embedded to operate normally. When the product activation feature is not authorize, by thelicense server, the application is disabled.

'18. Symantec has actual notice of the Patents-in-Suit at least as early as the tling of22 this Complaint.23 19. SoftVault has been damaged as a result of Symantec's infringing 'onduct.24 Symantec is, thus, liable to SoftVault in an amount that adequately compensates Soft25 Symantec's infringement, which, by law, cannot be less than a reasonable royalty, toge , er with26 interest and costs as fixed by this Court under 35 U.S.C. 284.2728

4COMPLAINT FOR PATENT INFR .GEMENT


6/51

1 PRAYER FOR RELIEFI2 SoftVault requests that the Court find in its favor and against Symantec, and at the

3 Court grant SoftVault the following relief:456789

10111213141516

171819

a.

b.

c.

e.

f.

g.

Judgment that one or more claims of the Patents-in-Suit have been in inged,either literally and/or under the doctrine of equivalents, by Symantec;

IJudgment that Symantec account for and pay to SoftVault all damages to and

I

costs incurred by SoftVault because of Symantec's infringing activities otherconduct complained of herein;That Symantec, its officers, agents, servants and employees, and those pe ons inactive concert and participation with any of them, be permanently enjoin :d from

'infringement of the Patents-in-Suit. In the alternative, if the Court finds/ :that anI

injunction is not warranted, SoftVault requests an award of post judgmenti royaltyto compensate for future infringement; IThat SoftVault be granted pre-judgment and post-judgment interest ion thedamages caused to it by reason of Symantec' s infringing activities II other

!conduct complained of herein;That this Court declare this an exceptional case and award Softj ult itsreasonable attorney's fees and costs in accordance with 35 U.S.C. 285;That SoftVault be granted such other and further relief as the Court may d .em just

I20 and proper under the circumstances.21 JURY DEMAND22 Plaintiff hereby requests a trial by jury pursuant to Rule 38 of the Federal Rules :of Civil23 Procedure.2425262728

5


7/51

1 DATED: April3, 201223456789

10111213141516171819202122232425262728

6

Alisa Lipski (State B No. 278710)GOLDSTEIN & LIPSKI, PLLC1177 West Loop South, Suite 400Houston, TX 77027Telephone: (713) 877-1515Facsimile: (713) 877-1737Email: [email protected] for Plainti ffSOFTYAULT SYSTEMS, INC.OfCounsel:Edward GoldsteinGOLDSTEIN & LIPSKI, PLLC1177 West Loop South, Suite 400Houston, TX 77027Telephone: (713) 877-1515Facsimile: (713) 877-1737Email: [email protected] T. SuderCorby R. VowellTodd BlumenfeldFRIEDMAN, SUDER & COOKETindall Square Warehouse No. 1604 East 4th Street, Suite 200Fort Worth, Texas 76102Telephone: (817) 334-0400Facsimile: (817) 334-0401Email: [email protected]: [email protected]: [email protected]

COMPLAINT FOR PATENT INFR . GEMENT


8/51

Exhibit A


9/51

(12) United States PatentSherman et al.(54) METHOD AND SYSTEM FOR EMBEDDED,

A U T O M A T E ~ C O M P O N E N ~ L E V E L CONTROL OF COMPUTER SYSTEMS ANDOTHER COMPLEX SYSTEMS

(75) Inventors: Edward G. Sherman, London (GB);Mark P. Sherman, Seattle, WA (US);George M. Reed, Saratoga, CA (US);Larry Saunders, San Diego, CA (US);Wayne Goldman, Sausalito, CA (US);Simon Whittle, Gladesville (AU)

(73) Assignee: Softvault Systems, Inc., Seattle, WA(US)( *) Notice: Subject to any disclaimer, the term of thispatent is extended or adjusted under 35U.S.C. 154(b) by 0 days.(21) Appl. No.: 09/163,094(22) Filed: Sep. 29, 1998

Related U.S. Application Data(63) Continuation-in-part of application No. 09/047,975, filed onMar. 25, 1998.(51) Int . Cl.7 ....................................... G06F 9/00(52) U.S. Cl.......................... 713/168; 713/169; 713/200;713/201; 380/255(58) Field of Search ............................. 380/255; 713/168,713/169, 200, 201(56) References Cited

U.S. PATENT DOCUMENTS6,148,083 * 11/2000 Fie res et al. ...... ... ... ... .......... 380/255

JIB

EASSSERVER

314

I

111111111111111111111111111111111111111111111111111111111111111111111111111

OS

US006249868Bl(10) Patent No.:(45) Date of Patent: US 6,249,868 BlJun.19,20016,148,333 11/2000 Guedalia et al. .... ............. ... 709/2196,157,953 12/2000 Chang et al. ....... ........... ...... 709/2256,158,010 * 12/2000 Moriconi et al. ............ ........ 713/201

* cited by examinerPrimary Examiner-Thomas R. Peeso(74) Attorney, Agent, or Firm-Robert W. Bergstrom(57) ABSTRACT IA method and system for protecting and controlling personalcomputers ("PCs") and components installed in or attachedto PCs. The method and system may be used to protect PCsfrom use after being stolen. An exemplary embodiment ofthe system includes a server running on a remote computerand hardware-implemented agents embedded within thecircuitry that controls the various devices within a PC. Theagents intercept all communications to and from the devicesinto which they are embedded, passing the communicationswhen authorized to do so, and blocking communicationswhen not authorized, effectively disabling the devices.Embedded agents are continuously authorized from theremote server computer by handshake operations implemented as communications messages. When the PC is stolenor otherwise disconnected from the remote server, theembedded agents within the PC fail to receive furtherauthorizations, disable the devices into which they areembedded, and effectively prevent any use of the stolen ordisconnected PC. The method and system may also be usedto control and manage access to software stored within thePC and to control and manage operation of hardware andsoftware components within the PC.

73 Claims, 21 Drawing Sheets

CPU 306

316 SCEA CUEHT

REt.IOTESERVERCOMPUTER

322

310 302

CIRCUIT BOARD


10/51

U.S. Patent Jun.19,2001 Sheet 1 of 21 US 6,249,868 Bll

126108

124122

l c : : : ~ m l _ ,

Fig. 1


11/51

202

000000000000000000000 0 0 0000000000000cooo0000QOOO0 0 0 000000 0 0 0000000000000ODOO0000

254

222

-216DRAt.t

IN-MEMORYPROGRAMS

244

240

BUSBRIDGE

CPU-238

SYSTEUCONTROLLER

CARD I I CARD

214

218DISPLAYCIRCUITRY

220


12/51

318

EASSSERVER

REMOTESERVERCOt.iPUTER

-320

__....7v316

322

314 CPU

r--- lr--312A _JOS ,..

SCEA CUENT _L 308L

310

Fig. 3

I L::;:l 1..m

CIRCUIT


13/51

U.S. Patent Jun.19,2001 Sheet 4 of 21 US 6,249,868 Bl

SUCCESSFULHANDSHAKE

AUTHORIZED

INITIALPOWER-ONGRACE PERIOD

SUCCESSFUL422 HANDSHAKE

POWER-ONGRACE PERIOD

SENDSAVE ME410

SENDSAVE ME

INITIALPOWER UP

SENDSAVE ME

NOTAUTHORIZED

420

408

NON-INITIALPOWER UP;424

Fig. 4


14/51

U.S. Patent Jun.19,2001 Sheet 5 of 21

RECEIVESAVE ME

KNOWLEDGEOFAGENT

RECEIVE SEND MEWITH INITIAL PASSWORD

\\ \

SUCCESSFULHANDSHAKE

UNSUCCESSFUL518 HANDSHAKE

\\J-520\\

IGNORANTOFAGENT502

Fig. 5

US 6,249,868 Bl

SUCCESSFULHANDSHAKE

AGENTAUTHORIZED

RECEIVESAVE ME

516


15/51

630631632633

..

..

..

EASS SERVER

(620ADDRESS

[email protected]

636)

(622CURRENT

fF631AC1CB861A78

616

(624 AUTH- 626OLD ORIZED __)_,.,....19FE2212 YES

2217813A YES : -

638640642

628

18

614kSAVE ME I )r- AacoErot A r6to--- ABCDEFOl j "'6h

Fig. 6A

E

lIl

602


16/51

EASS SERVER

ADDRESS CURRENT OLDS G A T 3 0 1 - J E R R Y O C C D . C O ~ I FF631AC1 I 19FE2212NET210-SUEOELF.GOV I CB861A78 I 2217813A

AUTHORIZED

VEST

A' I

6 3 2 ~ XAUPLEOX.COM'!1li_}h

ABCDEF01 ABCDEF01 NO . 618644 ~ - - 6 4 6 l64a

616

Fig. 6B

SAVE UEABCDEf01ABCDEF01

I612

6


17/51

EASS SERVER

AUTHORIZE16F3A79

16F3A79-v- '106AUTH-ADDRESS CURRENT OlD ORIZED

7708

[email protected] FF631AC1 19FE2212 YESNET21 [email protected] CBB61A78 2217813A [email protected] ABCDEF01 ABCDEF01 NO

702

Fig. 7A

712 I

110 II

7


18/51

EASS SERVER

16F3A79

AUTH-ADDRESS CURRENT OLD ORIZEDS G A T E 3 0 1 - J E R R Y O C C D . C O ~ FF631AC1 19FE2212 YESNET210-SUEOELF.GOV CB861A78 2217813A YESX A U P L E O X . C O ~ ABCDEFOl ABCDEF01 NO

AUTHORIZE16F3A79

708

Fig. 7B

710A....

III

E


19/51

EASS SERVER

16F3A79

AUTH-ADDRESS CURRENT OLD ORIZED

SGATE301-JERRYOCCD.CmA FF631AC1 19FE2212 YE SNET210-SUEOELF.GOV CB861A78 2217813A YE SXAMPLEOX.COM ABCDEF01 ABCDEFOl NO

702

CONFIRMAUTHORIZATION1 6 F 3 A 7 9 ~ ( ' J ~ : : : J ' ABCDEF01 718I716

Fig. 7C

EA

CPI

,-

704


20/51

ASS SERVER

CONFIRMAUTHORIZATIONA

"16F3A79 : - - ~ 7 0 6

1 6 F 3 A 7 9 ~ ABCDEF01 718

AUTH-ADDRESS CURRENT OLD ORIZED7716

SGATE301-JERRYOCCD.COt.4 IT631AC1 19FE2212 YES IINET210-SUEOElJ GOV CB861A78 2217813A YES :- . '\At.tPLEOX.COt.t 16F3A79 ABCDEF01 NO1 1 726" "722 124

Fig. 70


21/51

EASS SERVER

AUTH-ADDRESS CURRENT OLD ORIZEDSGATE301-JERRYOCCD.COM FF631AC1 19FE2212 YES

NET21 0-SUEOELF.GOV CB861A78 2217813A YESXAMPL0X.COt.i 16F3A79 ABCDEFOl NO

::!)

Fig. 7E

OK16F3A79120:00

I728


22/51

EASS SERVER

AUTH-ADDRESS CURRENT OLD ORIZED

SGATE301-JERRYOCCD.COt.t FF631AC1 19FE2212 YESNET210-SUEOEIJ.GOV CB861A78 2217813A YESXAt.iPLEOX.Cot,t 16P3A79 ABCDEF01 YES 1

\/

20:00) h267291730

Fig. 7F

OK16F3A79120:00I736

....v


23/51

EASS SERVER

.....-v

3AA61FB3- ,-- ~ " - - 8 0 2 AUTH-ADDRESS CURRENT OLD ORI ED

SGATE301-JERRYOCCD.COM FF631AC1 19FE2212 YESNET21 0-SUEOEIJ.GOV CB861A78 2217813A YESXAMPLEOX.COM 16F3A79 ABCDEF01 YES 2:00

801

Fig. BA

AUTHORIZE3AA61FB3

Bt:


24/51

EASS SERVE:R

3AA61FB3

AUTH-

AUTHORIZE3AA61FB3

7ADDRESS CURRENT OLD ORIZED 804

SGATE301-JERRYOCCD.COM FF631AC1 19FE2212 YESNET21 0-SUEtlELF GO V CB861A78 2217813A YESX A ~ P L E O X . C O U 16F3A79 ABCDEF01 YES 2: 00- ~ - - - - - -

Fig. BB

-"---v

III

EA


25/51

EASS SERVER

3M61FB3

AUTH-ADDRESS CURRENT OLD ORIZEDSGATE301-JERRYOCCD.COM FF631AC1 19FE2212 YE SNET210-SUEOELF GOV CB861A78 2217813A YESXAMPLEOX.COM 16F3A79 ABCDEF01 YES 1:-- - - --- - - 59

CONFIRMAUTHORIZATION810--l-3AA61FB316F3A79\

812BOB

Fig. BC


26/51

EASS SERVER

CONFIRMAUTHORIZATION3AA61FB316F3A79

7 ' IBOB IAUTH-ADDRESS CURRENT OLD ORIZED

GATE301-JERRYOCCD.Cotti FF631AC1 19FE2212 YESNET210-SUEOELF.GOV CB861A78 2217813A YESXAt.tPLEOX.COM 3AA61FB3 16F3A79 YES 1:59 I I\" "814 I 816

Fig. 8/J


27/51

EASS SERVER

OK3AA61FB3120:00"

819

AUTH-7818ADDRESS CURRENT OLD ORIZED

SGATE301-JERRYOCCD.COM FF631AC1 19FE2212 YE SNET21 0-SUEOELF.GOV C8861A78 2217813A YESXAUPLEOX.COM 3AA61FB3 16FJA79 YE S 1:58-

Fig. BE


28/51

EASS SERVER

OK3AA61f83 ...120:00 ,/

AUTH- 8kADDRESS CURRENT OLD ORIZEDSGATE301-JERRYOCCD.Cot.i FF631AC1 19FE2212 YESNET210-SUEOELf.GOV CB861A78 2217813A [email protected] 3AA61FB3 16f3A79 YES 1 0:00)

820

Fig. BF

EA

III


29/51

EASS SERVER

AUTH-ADDRESS CURRENT OLD ORIZEDSGATE301-JERRYOCCD.COtA FF631AC1 19FE2212 YE SNET21 0-SUEOELF.GOV CB861A78 2217813A YESXAMPLEOX.COM 3AA61FB3 16F3A79 YE S 1(

I.916

912

20:00 Ih4Fig. 9A

SAVE ME16F3A79ABCDEF01

I906

A

E


30/51

EASS SERVER

ADDRESS CURRENTSGATE301-JERRYOCCD.COM FF631AC1NET210-SUEDELF.GOV CB861A78XAMPLEOX.COM 16F3A79\"916

OL D19FE22122217813AABCDEF01I918

AUTH-ORIZEDYESYESYES

A......

Fig. 9B

SAVE UE16F3A79ABCDEF01

!906


31/51

US 6,249,868 Bl1

METHOD AND SYSTEM FOR EMBEDDED,AUTOMATED, COMPONENT-LEVELCONTROL OF COMPUTER SYSTEMS ANDOTHER COMPLEX SYSTEMSRELATED APPLICATIONS

This application is a continuation-in-part of co-pendingU.S. application Ser. No. 09/047,975 that was filed on Mar.25, 1998.

TECHNICAL FIELDThe present invention relates to control of computersystems and other types of complex systems at the component level and, in particular, to a method and system forsecuring a complex system by embedding agents within oneor more components of the complex system in order tocontrol access to components within the complex system.

BACKGROUND OF TilE INVENTIONComputer security is a very broad and complex fieldwithin which, during the past several decades, a number ofimportant sub-fields have developed and matured. Thesesub-fields address the many different problem areas incomputer security, employing specialized techniques that

are particular to specific problems as well as general techniques that are applicable in solving a wide range of problems. The present application concerns a technique that canbe used to prevent the theft and subsequent use of a personalcomputer ("PC") or of various PC components included in,or attached to, a PC. This technique may make use of certainsecurity-related techniques which have been employed previously to address other aspects of computer security, andthis technique may itself be employed to address bothcomputer security problems other than theft as well asvarious aspects of computer reliability, computeradministration, and computer configuration. In addition, thistechnique may be applied to protecting other types ofcomplex electronic and mechanical systems as well ascomputer software and other types of information encodedon various types of media.

PCs are ubiquitous in homes, offices, retail stores, andmanufacturing facilities. Once a curiosity possessed only bya few hobbyists and devotees, the PC is now an essentialappliance for business, science, professional, and home use.As the volume of PCs purchased and used has increased, andas PC technology has rapidly improved, the cost of PCs hassteadily decreased. However, a PC is still a relativelyexpensive appliance, especially when the cost of the software installed on the PC and the various peripheral devicesattached to the PC are considered. PCs, laptop PCs, and evenrelatively larger server computers have all, therefore,become attractive targets for theft.

2system and hence to the various application programs available on the PC 102. Typically, a graphical password-entrywindow 124 is displayed on the screen 126 of the displaymonitor 108. In order to use the computer, the user types a

5 password via the keyboard 106 into the password subwindow 128 of the password-entry window 124. The userthen depresses a keyboard key to indicate to a securityprogram that password entry is complete. As the user typesthe password, each letter of the password appears at the10 position of a blinking cursor 130. The characters of thepassword are either displayed explicitly, or, morecommonly, asterisks or some other punctuation symbol aredisplayed to indicate the position within the password inwhich a character is entered so that an observer cannot read

15 the password as it is entered by the user. The securityprogram checks an entered password against a list of authorized passwords and allows further access to the operatingsystem only when the entered password appears in the list.In many systems, both a character string identifying the user

20 and a password must be entered by the user in order to gainaccess to the operating system.The common types of security systems displayed in FIG.1 are relatively inexpensive and are relatively easily implemented and installed. They are not, however, foolproof and,

25 in many cases, may not provide even adequate deterrents toa determined thief. For example, the key 112 for the hingedfastening device 110 can be stolen, or the fastening devicecan be pried loose with a crowbar or other mechanical tool.A clever thief can potentially duplicate the key 112 or jimmy30 the lock 114. The cable 116 can be cut with bolt cutters orthe cylindrical combination lock 118 can be smashed with ahammer. Often, the combination for the cylindrical combination lock 118 is written down and stored in a file or wallet.If that combination is discovered by a thief or accomplice to35 theft, the cylindrical combination lock will be useless. In thesituation illustrated in FIG. 1, if the table is not bolted to thefloor, a thief might only need to pick up the display monitor108, place it on the floor, slide the cable down the table leg

to the floor, and lift the table sufficiently to slip the cable40 free. While this example might, at first glance, seem silly orcontrived, it is quite often the case that physical securitydevices may themselves be more secure than the systems inwhich they are installed, taken as a whole. This commonlyarises when security devices are installed to counter certain45 obvious threats but when less obvious and unexpectedthreats are ignored or not considered.

While the serial numbers 120 and 122, if not scraped offor altered by a thief, may serve to identify a PC or components of the PC that are stolen and later found, or may serve50 as notice to an honest purchaser of second-hand equipmentthat the second-hand equipment was obtained by illegalmeans, they are not an overpowering deterrent to a thief whointends to use a purloined PC or PC component at home or

to sell the purloined PC to unsavory third parties.FIG. 1 illustrates various types of security systems com- 55monly employed to prevent theft of PCs and PC components. A PC 102 is mounted on a table 104 and is connected

Password protection is commonly used to prevent mali-cious or unauthorized users from gaining access to theoperating system of a PC and thus gaining the ability toexamine confidential materials, to steal or corrupt data, or totransfer programs or data to a disk or to another computerto a keyboard-input device 106 and a display monitor 108.The PC 102 is physically secured to the table 104 with ahinged fastening device 110, which can be opened andlocked by inserting a key 112 into a lock 114. The displaymonitor 108 is physically attached to the table via a cable116 and cylindrical combination lock 118 system. Serialnumbers 120or 122 are attached to, or imprinted on, the sideof the PC 102 and the side of the display monitor 108,respectively. Finally, there is a software-implemented lockand key system for controlling access to the operating

60 from which the programs and data can be misappropriated.Passwords have a number of well-known deficiencies.Often, users employ easily remembered passwords, such astheir names, their children's names, or the names of fictionalcharacters from books. Although not a trivial undertaking, a65 determined hacker can often discover such passwords byrepetitive trial and error methods. As with the combinationfor the cylindrical combination lock 118, passwords are


32/51

US 6,249,868 Bl3 4fore disabled. User-level passwords are neither required norprovided, and the security system cannot be thwarted byreinstalling the PC's operating system or by replacing programmable read only memory devices that store low-level

often written down by users or revealed in conversation.Even if the operating system of the PC is inaccessible to athief who steals the PC, that thief may relatively easilyinterrupt the boot process, reformat the hard drive, andreinstall the operating system in order to use the stolencomputer.5 initialization firmware for the PC.

More elaborate security systems have been developed orproposed to protect various types of electrical and mechanical equipment and to protect even living creatures. Forexample, one can have installed in a car an electronic device 10that can be remotely activated by telephone to send out ahoming signal to mobile police receivers. As anotherexample, late model Ford and Mercury cars are equippedwith a special electronic ignition lock, which is activated bya tiny transmitter, located within a key. As still another 15example, small, integrated-circuit identification tags cannow be injected into pets and research animals as a sort ofinternal serial number. A unique identification number istransmitted by these devices to a reading device that can bepassed over the surface of the pet or research animal to 20detect the unique identification number. A large variety ofdifferent data encryption techniques have been developedand are commercially available, including the well knownRSA public/private encryption key method. Devices havebeen built that automatically generate computer passwords 25and that are linked with password devices installed within

Alternative embodiments of the present invention includecontrol and management of software and hardware on apay-to-purchase or pay-per-use basis, adaptive computersystems, and control and security of electrical and electromechanical systems other than computers. A computer system may be manufactured to include various optional hard-ware and software components controlled by embeddedagents and initially disabled. When the purchaser of thecomputer system later decides to purchase an optionalpreinstalled but disabled component, the manufacturer caenable the component by authorizing an associated embedded agent upon receipt of payment from the owner of thsystem. Similarly, the owner of the computer system rnachoose to rent an optional component for a period of timeand that component can then be authorized for the period otime by the manufacturer upon receipt of payment. Softwarmay be manufactured to require authorization from a servevia an embedded agent either located within the disk drivon which the software is stored or located within thsoftware itself. Computer systems may automatically adjustheir configuration in response to changes in workload benabling and disabling components via embedded agents.Finally, systems other than computers, including industriamachine tools, processing equipment, vehicles, and firearm

the computer to prevent hackers from easily discoveringpasswords and to keep the passwords changing at a sufficientrate to prevent extensive access and limit the damageresulting from discovery of a single password.While many of these elaborate security systems are implemented using highly complex circuitry and software based

30 may be controlled and secured by embedding agents withione or more components included in the systems.on complex mathematical operations, they still employ, atsome level, the notion of a key or password that is physicallyor mentally possessed by a user and thus susceptible to theft 35or discovery. A need has therefore been recognized for asecurity system for protecting PCs and components of PCsfrom theft or misuse that does not depend on physical orsoftware implemented keys and passwords possessed byusers. Furthermore, a need has been similarly recognized for 4intelligent security systems to protect the software that runson PCs and to protect other types of complex electronic andmechanical systems, including automobiles, firearms, homeentertainment systems, and creative works encoded in mediafor display or broadcast on home entertainment systems.

SUMMARY OF TilE INVENTION45

BRIEF DESCRIPTION OF TilE DRAWINGSFIG. 1 illustrates various types of security systems co -manly employed to prevent theft of PCs and PC camp -nents.FIG. 2 is a block diagram of example internal componen

of a PC connected to a remote server.FIG. 3 is a block diagram of example hardware ansoftware components and communications pathways th timplement a single embedded agent connected to a clie tthat is, in turn, connected to a security authorization serve .FIG. 4 is a state diagram for an example embedded agen .FIG. 5 is an example state diagram for the interaction fa security authorization server with one embedded agent,FIG. 6Aillustrates an example initiation of the sending fa SAVE ME message by an embedded agent.FIG. 6B illustrates an example receipt of a SAVE M

50 message by a security authorization server.One embodiment of the present invention provides asecurity system for protecting a PC and componentsinstalled in or attached to the PC from use after being stolen.Agents are embedded within various devices within the PC.The agents are either hardware-implemented logic circuitsincluded in the devices or firmware or software routinesrunning within the devices that can be directed to enable and

disable the devices in which they are embedded. The agents 55intercept communications to and from the devices intowhich they are embedded, passing the communicationswhen authorized to do so in order to enable the devices, andblocking communications when not authorized, effectivelydisabling the devices. Embedded agents are continuouslyauthorized from a remote server computer, which is coupled

FIGS. 7A-F illustrate the handshake operation that imm -diately follows receipt by an example EASS server of .aSAVE ME message from an example EASS embedded age tin the Initial Power-On Grace Period state.FIGS. 8A-F illustrate a second example handshake oper -tion that follows the original handshake operation of FIG .7A-F by some period of time less than the original auth -rization period.FIGS. 9A-B illustrate the recovery mechanism that is

60 employed by an example EASS embedded agent in the eve tthat the OK message of FIGS. 8E-F was lost andto embedded agents via a communications medium, byhandshake operations implemented as communications messages. When the PC is disconnected from the communications link to the remote server, as happens when the PC is 65stolen, the devices protected by embedded agents no longerreceive authorizations from the remote server and are there-

received by the EASS embedded agent.DETAiLED DESCRIPTION OF TilEINVENTION

One embodiment of the present invention is an embedd dagent security system ("EASS") for protecting a PC, a d,


33/51

US 6,249,868 Bl5

more particularly, the internal components of a PC, frommisuse or misappropriation. The EASS includes a servercomponent, one or more embedded agents, and, optionally,

6is connected to the PC 204 via a connection 206 thatrepresents a local area network which is possibly itselfconnected to a wide area network and which supports one of

a client component The server component is a centralizedrepository and control point that provides authorizations to 5agents embedded within PC components and connected tothe server component via a communications connection. Theserver authorizations allow the embedded agents to enableoperation of the components within which the embeddedagents reside for a period of time. The server component 10runs on a separate server computer, which is connected by

any number of common network protocols or combinationsof protocols to transfer messages back and forth between theserver component 202 and the PC 204. Messages may betransmitted, for example, via the Internet. The PC 204 isconnected to an external output device, in this case a displaymonitor 208, and to two input devices, a mouse 210 and akeyboard 212. Internal components of the PC include acentral processing unit ("CPU") 214; a random accessmemory 216; a system controller 218; a hard disk 220; anda number of device controllers 222, 224, 226, 228, and 230connected to the system controller 218 directly through ahigh speed bus 232, such as a PCI bus, or through acombination of the high speed bus 232, a bus bridge 234,

a communications medium to the PC. An embedded agent isembedded as a logic circuit within the circuitry that controlsoperation of an internal component of the PC or is embeddedas a firmware or software routine that runs within the 15internal component of the PC. The client component, whenpresent, runs as a software process on the PC. The clientcomponent of the EASS primarily facilitates communications between the server component and the various embedded agents. For example, when multiple embedded agents 20are included in the PC, the client component may serve as

and a low speed bus 236 such as an ISA bus. The CPU 214is connected to the system controller 218 through a specialized CPU bus 238 and the RAM memory 216 is connecteto the system controller 218 through a specialized memorybus 240. FIG. 2 represents one possible simple configuratiofor the internal components of a PC. PCs having differennumbers or types of components or employing differenconnection mechanisms other than PO or ISA buses rnaa distribution and collection point for communicationsbetween the server component and the multiple embeddedagents.Because embedded agents enable operation of the internalcomponents in which they are embedded, and becauseembedded agents require frequent authorizations from theserver component in order to enable the internalcomponents, i f the communications connection between the~ e r v e r component and an embedded agent is broken, themternal component in which the embedded agent resideswill be disabled when the current period of authorizationexpires. The communications connection between the serverand all embedded agents within the PC will be broken whenthe PC is powered down or disconnected from the externalcommunications medium by which the PC is connected tothe server. Thus, any attempt to steal the PC will result in thetheft of a PC that will not be operable once the current periodof authorization expires. In order to subsequently operate thePC, the thief would need to reconnect the PC to the serverand invoke either client or server utilities to reinitialize theembedded agents. These utilities are themselves protectedby password mechanisms. The thief cannot circumvent theembedded agents by reinstalling the operating system or byreplacing programmable read only memories ("PROMs").The stolen PC is therefore essentially worthless to the thief,and, perhaps more important, the data stored within the PCis inaccessible to the thief as well as to any other party.

25 have quite different internal configurations.The device controllers 222, 224, 226, 228, and 230 arnormally implemented as printed circuit boards, whicinclude one or more application specific integrated circui("ASICs") 242, 244, 246, 248, and 250. The ASICs, alon30 with firmware that is normally contained in various types oROM memory on the printed circuit boards, implement bota communications bus interface and a command interface.The communications bus interface allows for data anmessage communication with operating system routines th t35 run on the CPU 214. The command interface enables thoperating system to control the peripheral device associatewith the device controller. For example, the hard disk 22comprises a number of physical platters on which data istored as tiny magnetized regions of the iron oxide surfac40 of the platters (not shown), a motor for spinning the platte s(not shown), and a printed circuit board 228 which impl -ments circuitry and firmware routines that provide a hig -level interface to operating system drivers. In modern dis ,there is often a printed circuit board that includes an ASI45 that is packaged within the disk as well as a printed circu tboard card that is connected via a bus to other intern 1components of the PC, including the system controller 2 8and the CPU 214.

Certain implementations of this embodiment may rely onone or more internal password identification mechanisms. 50However, unlike the other well-known security systemsdiscussed above, the user of a PC protected by the EASSdoes not need to possess a password and is, in fact, notallowed to know or possess the passwords used internallywithin the EASS. 55

Programs that run on the CPU 214, including the ope -ating system and the EASS client, are permanently stored na hard disk 252 and are transiently stored in RAM 254 rexecution by the CPU 214. Logic circuitry that irnpleme sthe embedded agents of the EASS is included within t eASICs that implement the various device controllers 24 ,244, 2 4 6 ~ 248, and 250. The device controller may contr. 1such devtces as optical disk devices, tape drives, mode ,In a preferred implementation of this embodiment, theserver and client components are implemented in softwareand the embedded agents are implemented as hardware logiccircuits. However, all three of these components may beimplemented either as software routines, firmwave routines,hardware circuits, or as a combination of software, firmware,and hardware.

EASS Hardware and Software ConfigurationFIG. 2 is a block diagram of example internal components

of a PC connected to a remote server. The remote server 202

and other data sources and communications devices. EA Sembedded agents can be additionally included within t ecircuitry that implements RAM 216, the system control r60 218, and even the CPU 214. One skilled in the art '11recognize that any circuit in which communications can eintercepted may reasonably host an embedded agent and t atmany other locations may therefore host embedded agen .Further, a PC 204 may include only a single embedded ag nt65 or may include a number of EASS embedded agents.

FIG. 3 is a block diagram of example hardware a dsoftware components and communications pathways t at


34/51

US 6,249,868 Bl7

implement a single embedded agent connected to a clientwhich is, in turn, connected to a security authorizationserver. In one embodiment, the EASS embedded agent 302

8medium based on transmission of optical or radio signalsrather than on electrical signals. Moreover, alternateembodiments may employ multiple EASS servers that maybe implemented on remote computers or that may be

5 included within the same computer that hosts the EASSembedded agents.is a logic circuit embedded within an ASIC 304 which isincluded on a printed circuit board 306 that implements aparticular device controller. The device controller is connected through one or more internal communications buses308 to an EASS client program 310 implemented as a driverwithin the operating system 312 running on the CPU 314 ofthe personal computer. The CPU 304 is, in turn, connected 10through one or more internal buses, such as a PCI bus, andexternal communication lines, such as a LAN or a LANcombined with a WA N 316, to the server computer 318. Thecomponents of the server computer that implement theEASS server include an EASS server program 320 and anon-volatile storage device 322 in which the EASS serverprogram 320 stores authorization and embedded agent information. The EASS server program 320 exchanges information with the non-volatile storage device 322 via internalbuses 324 of the server computer 318. There are a variety ofways in which the embedded agent and authorization information can be stored by the EASS server 320 on thenon-volatile storage device 322. In one implementation ofthe described embodiment, this data is stored within acommercial database management system, such as a relational database.

EASS Server and Embedded Agent StateTransitionsFIG. 4 is a state diagram for an example embedded agent.FIG. 4 shows four different states that an EASS embeddedagent may occupy: (1) an Initial Power-On Grace Periodstate 402; (2) a Power-On Grace Period state 404; (3) anAuthorized state 406; and (4) a Not Authorized state 408.

15 Transitions between these states arise from three types ofevents: (1) a successful handshake between the embeddedagent and the EASS server that results in transfer of anauthorization by the EASS server to the embedded agent topermit operation of the device associated with the EASS20 embedded agent for some period of time; (2) a time out thatoccurs when the EASS embedded agent has exhausted itscurrent authorization period prior to receiving a subsequentre-authorization from the EASS server; and (3) a special

back-door mechanism that allows an entity such as the25 EASS client to reinitialize an EASS embedded agent so thatthe EASS embedded agent can reestablish contact with anEASS server following interruption of a previous connection.Messages and commands that are passed to the devicecontroller 306 for a particular internal or peripheral deviceover the communications bus 308 first pass through theEASS embedded agent logic 302 before entering the ASICcircuitry 304 that implements the device controller. TheEASS embedded agent 302 is associated with a number ofnon-volatile registers 326 that store authorization state information. When the embedded agent has been authorized by

an EASS server 320, or during a short grace period following power up, the EASS embedded agent passes messagesand commands through to the ASIC 304 that implementsnormal message handling and the device controller.However, when the EASS embedded agent 302 is notauthorized by the EASS server 320, or when an initialpower-on grace period has expired, the EASS embeddedagent blocks messages and commands to the ASIC 304thereby disabling the device controlled by the device controller 306. The EASS embedded agent thus serves as ahardware-implemented control point by which a device isenabled or disabled. Authorization messages pass from theEASS server 320 through communications pathways 316and 308 to the EASS embedded agent 302. The EASSembedded agent 302 can also initiate a message and pass themessage through pathways 308 and 316 to the EASS server320. For example, the EASS embedded agent 302 mayrequest authorization from the EASS server 320.

In the described embodiment, the EASS client 310 facilitates communications between the EASS server 320 and theEASS embedded agent 302. When a PC includes more thanone EASS embedded agent, the EASS client 310 handlesrouting of messages from the EASS server 320 to individualEASS embedded agents 302 and collects any messagesinitiated by EASS embedded agents 302 and forwards themto the EASS server 320. In addition, the EASS client 310may support a small amount of administrative functionalityon the PC that allows the EASS to be reinitialized in theevent of loss of connection or power failure. The EASSclient 310 may not be a required component in alternativeembodiments in which an EASS server 320 communicatesdirectly with EASS embedded agents 302.

In alternative embodiments, the EASS server may communicate with EASS embedded agents by a communications

Following an initial power up 410 of the device hosting an30 EASS embedded agent, the EASS embedded agent enters anInitial Power-On Grace Period 402. The Initial Power-OnGrace Period allows operation of the device controlled bythe EASS embedded agent for some short period of timefollowing power up of the PC necessary for initialization of35 the PC that contains the device and embedded agent andallows for establishment of contact between the EASSembedded agent and an EASS server. When in the InitialPower-On Grace Period 410, the EASS embedded agentcontains one of a certain number of initial passwords that are40 recognized by EASS servers as belonging to EASS embedded agents in the Initial Power-On Grace Period. Theseinitial passwords allow an EASS server to distinguish a validrequest for handshake operation from an attempt to solicitauthorization by an embedded agent that has been previ-45 ously authorized by an EASS server. In the latter case, theembedded agent may well be hosted by a stolen or misuseddevice. From the Initial Power-On Grace Period state, theEASS embedded agent may send a solicitation message, forexample, a "SAVE ME" message to an EASS server to50 announce that the EASS embedded agent has been poweredup for the first time, as indicated by transition arrow 412, and

to solicit a handshake operation. Sending of the SAVE MEsolicitation message does not, by itself, cause a state transition. When an EASS server receives a SAVE ME message55 from an EASS embedded agent, the EASS server undertakessending of an authorization to the EASS embedded agentthrough a handshake mechanism, to be described below. Thehandshake may either fail or succeed. If a handshake fails,the EASS embedded agent remains in the state that it60 occupied prior to initiation of the handshake.When an EASS embedded agent is in the Initial Power-OnGrace Period, a successful handshake operation results in theEASS embedded agent transitioning 414 to an Authorizedstate 406.At regular intervals, the EASS server continues to65 reauthorize the EASS embedded agent through successivehandshake operations 416 which result in the EASS embedded agent remaining in the Authorized state 406. In the


35/51

US 6,249,868 Bl9Authorized state 406, the EASS embedded agent passesthrough commands and data to the device that it controlsallowing that device to operate normally. If , for any numberof reasons, the EASS embedded agent does not receivereauthorization prior to the expiration of the current authorization that the embedded agent has received from an EASSserver, a time out occurs causing transition 418 of the EASSembedded agent to the Not Authorized state 408.

In the Not Authorized state 408, the EASS embeddedagent blocks commands and data from being transmitted tothe device controlled by the EASS embedded agent, effectively disabling or shutting down the device. Alternatively,the EASS embedded agent may actually power down adevice that can be powered down independently from otherinternal components of the PC. When in the Not Authorizedstate 408, the EASS embedded agent may send a SAVE MEmessage 420 to an EASS server. Sending of this messagedoes not, by itself, cause a state transition, as indicated byarrow 420. However, if an EASS embedded agent receivesthe SAVE ME message and initiates a handshake operationthat is successfully concluded, the EASS embedded agenttransitions 422 from the Not Authorized state 408 back to theAuthorized state 406.The EASS embedded agent and the device that the EASSembedded agent controls can be powered up any number oftimes following an initial power up. The EASS embeddedagent stores enough information in a number of non-volatileregisters associated with the EASS embedded agent (e.g.,registers 326 in FIG. 3) to differentiate a normal or noninitial power up from an initial power up. Following anon-initial power up 424, the EASS embedded agent transitions 426 to a Power-On Grace Period state 404. Whenoccupying the Power-On Grace Period state 404, the EASSembedded agent may send a SAVE ME message to an EASSserver. The sending ofthe SAVE ME message 428 does not,

10With respect to an EASS embedded agent, the EASS servermay occupy any one of three states at a given instant in time:(1) the EASS server may be in an Ignorant of Agent state502; (2) the EASS server may be in a Knowledgeable of

5 Agent state, aware of but not having authorized the agent504; and (3) the EASS server may be in an Agent Authorizedstate 506. Initially, an EASS server is ignorant of theembedded agent, and thus occupies the Ignorant of Agentstate 502. When the EASS server receives a SAVE ME10 message from the EASS embedded agent that is in the InitialPower-On Grace Period state (402 in FIG. 4), the EASSserver transitions 508 from the Ignorant of Agent state 502to the Knowledgeable of Agent state 504. As part of thistransition, the EASS server typically makes an entry into a

15 database or enters a record into a file that allows the EASSserver to preserve its awareness of the EASS embeddedagent. The EASS server may receive SAVE ME messagesfrom the EASS embedded agent when occupying either theKnowledgeable of Agent state 504 or the Agent Authorized20 state 506. As indicated by arrows 510 and 512, receipt ofSAVE ME messages by the EASS server in either of states504 and 506 does not, by itself, cause a state transition.

The EASS server may initiate and complete a successfulhandshake operation with the EASS embedded agent while25 the EASS server occupies the Knowledgeable of Agent state504 with respect to an agent. Completion of a successfulhandshake operation causes the EASS server to transition514 from the Knowledgeable ofAgent state 504 to the AgentAuthorized state 506 with respect to the agent. This transi-

30 tion may be accompanied by the saving of an indication ina database or a file by the EASS server that indicates that theembedded agent is authorized for some period of time.When occupying the Agent Authorized state, the EASSserver may continue to initiate and complete successfulby itself, cause a state transition, as indicated by arrow 428.The Power-On Grace Period lasts a short period of timesufficient for the PC to be booted and all of the internalcomponents to be initialized and for the EASS embeddedagents controlling those components to establish contactwith an EASS server. I f an EASS server, upon receiving the 40SAVE ME message, successfully completes a handshakeoperation, the EASS embedded agent transitions 430 from

35 handshake operations with the embedded agent and, bydoing so, continue to occupy the Agent Authorized state.However, if a handshake operation is unsuccessful, theEASS server transitions 518 from the Agent Authorized state506 back to the Knowledgeable of Agent state 504.In some embodiments of the present invention, there maybe an additional transition 520 from the Knowledgeable ofAgent state 504 back to the Ignorant ofAgent state 502. Thistransition corresponds to a purging or cleaning operationthe Power-On Grace Period 404 to the Authorized state 406.If a successful handshake operation is not completed beforethe short Power-On Grace Period authorization period 45expires 432, the embedded agent transitions 432 from thePower-On Grace Period 404 to the Not Authorized state 408.

A special mechanism is provided for reinitialization of anEASS embedded agent following normal power on. Thatmechanism is referred to as the "back door'' mechanism. Theback door mechanism may be initiated, at the direction of auser or administrator, by an EASS client running on thesame PC that includes the embedded agent, or may beinitiated by an EASS server upon discovery by the EASSserver of a failed or interrupted connection. When the EASS 55embedded agent receives a message that implements theback door mechanism, the EASS embedded agent transitions 434 from the Power-On Grace Period 404 back to theInitial Power-On Grace Period 402. In alternativeembodiments, the back door mechanism might allow for 60transitions from either of the other two states 406 and 408back to the Initial Power-On Grace Period state. In morecomplex embodiments, the back door mechanism mightallow for transitions to states other than the Initial Power-OnGrace Period.

that allows an EASS server to purge database entries or filerecords corresponding to a particular EASS embedded agentif the EASS server is unsuccessful in authorizing that EASSembedded agent for some period of time. Such a purgingoperation allows the EASS server to make room in adatabase or file to handle subsequent entries for EASS50 embedded agents that announce themselves using SAVE MEmessages from an Initial Power-On Grace Period state.

FIG. 5 is an example state diagram for the interaction ofa security authorization server with one embedded agent.

EASS MessagesFIGS. 6A-9B illustrate details of the sending and receiving of SAVE ME messages and of the EASS server-initiatedhandshake operation. In each of these figures, examplecontents of the non-volatile registers associated with anEASS embedded agent, contents of a message, and contents.

of a portion of the database associated with an EASS serverare shown. FIG. 6A will be numerically labeled anddescribed in the discussion below, but the labels will berepeated in FIGS. 6B-9B only when the labels are relevantto an aspect of the EASS in the figure referenced in the

65 discussion of the figure.FIG. 6Aillustrates initiation ofthe sending of a SAVE MEmessage by an EASS embedded agent. The EASS embedded


36/51

US 6,249,868 Bl11

agent 602 is associated with three non-volatile registers thatcontain: (1) the current password 604; (2) the previouspassword 606; and (3) the time remaining for the currentauthorization period 608. Passwords may comprise computer words of 56 bits, 64 bits, or a larger number of bits that 5provide a sufficiently large number of unique initial passwords. The direction of propagation of the SAVE MEmessage is indicated by arrow 610. The SAVE ME message612 being transmitted is displayed along with its informational content 614. The EASS server 616 contains a repre- 10sentation of a portion of a database that contains information

12FIG. 6B illustrates receipt of a SAVE ME message by anEASS server. In this case, the EASS server 616 was, priorto receipt of the SAVE ME message, in the Ignorant ofAgentstate (502 of FIG. 5) with respect to the EASS embeddedagent 602. Receipt of the SAVE ME message 612 causes theEASS server 616 to transition to the Knowledgeable ofAgent state (504 of FIG. 5). In making this transition, theEASS server 616 enters information gleaned from the SAVE

ME message 612 into row 632 of the database 618 associ-ated with the EASS server 616. The address from which themessage was received can be determined from fields contained within a message header (not shown in FIG. 6B). Thisaddress may be the communications address of an individualEASS embedded agent, a combination of the communica-tions address of the client and an internal identificationnumber of the device hosting the EASS embedded agent, orsome other unique identifier for the EASS embedded agentthat can be mapped to a communications address. Thedetails of the formats of message headers are specific to theparticular types of communications mechanisms and implementations. In this example, the addresses are stored asInternet addresses. The stored Internet address is the addressof the EASS client running on the PC in which the EASSembedded agent is resident. This address may be enhancedby the EASS server 616 by the addition of characters to theaddress or subfields within either the address or in themessage header to provide sufficient information for thereceiving EASS client to identify the particular EASSembedded agent to which the message is addressed.

about EASS embedded agent authorizations 618. This database contains columns that indicate the communications ornetwork address of the EASS embedded agent 620, theEASS embedded agent's current password 622, the EASSembedded agent's previous password 624, and an indication 15of whether the EASS embedded agent is currently authorized or not 626. Additional or alternative columns may bepresent. For example, the next column 628 is used insubsequent figures to store the amount of time for which theEASS embedded agent is authorized. Each row in the 20database 630-633 represents one particular EASS embedded agent. Rows 630 and 631 contain information forpreviously authorized EASS embedded agents (not shown).EASS embedded agent 602 of FIG. 6A is in the InitialPower-On Grace Period state (402 of FIG. 4) and the EASS 25server 616 of FIG. 6Ais, with respect to the embedded agent602, in the Ignorant of Agent state (502 of FIG. 5). Rectangular inclusions 634 and 636 represent the implementation of, and any volatile storage associated with, the EASSembedded agent and the EASS server, respectively. 30 Alternatively, a different address might be established foreach EASS embedded agent or an internal address fieldmight be included in each message sent from the EASSserver to an EASS client that further specifies the particular

In one embodiment, when the EASS embedded agent 602is in the Initial Power-On Grace Period, it has an initial timeremaining period of two minutes, as indicated by the contents of the time remaining non-volatile register 608. Thisinitial time remaining period is chosen to be sufficient for the 35EASS embedded agent 602 to establish a connection withthe EASS server 616, to solicit a handshake operation, andto complete the solicited handshake operation and may varyin duration for different types of computers. Both the currentpassword register 604 and the previous password register 40606 contain a default initial password that is recognized byEASS servers as corresponding to an EASS embedded agentin the Initial Power-On Grace Period state. It should be notedthat there may be a great number of different such defaultpasswords. In the described embodiment, the circuitry that 45implements the EASS embedded agent notes that the authorization time remaining is two minutes, and that it istherefore necessary for the EASS embedded agent 602 tosend a SAVE ME message 612 to an EASS server to requestcontinuation of authorization. Thus, the EASS embedded 50agent 602 initiates sending of the SAVE ME message 612.

The SAVE ME message 612 contains an indication oroperation code 638 designating the message as a SAVE MEmessage, the contents of the current password register 640,and the contents of the previous password register 642. In 55the case of an EASS embedded agent in the Initial Power-OnGrace Period state, both the current password and previouspassword registers contain the same initial password in thepresent embodiment. Alternative embodiments might usedifferent initial current and previous passwords. In general, 60sending both the current password and the previous password provides sufficient information for the EASS serverthat receives the SAVE ME message to correct any errors ordiscrepancies that may have arisen during a previous failedhandshake. An example of a recovery from a failed hand- 65shake operation will be described below with reference toFIGS. 9A-B.

EASS embedded agent to which the message is addressed.Thus, receipt of the SAVE ME message has allowed theEASS server 616 to store the address "[email protected]"632 to identify the EASS embedded agent 602 from whichthe message was received, to store the current and previouspasswords 644 and 646 taken from the received SAVE MEmessage 612, and to store an indication that the EASSembedded agent 602 is not authorized 648.

FIGS. 7A-F illustrate the handshake operation that imme-diately follows receipt by an example EASS server of aSAVE ME message from an example EASS embedded agentin the Initial Power-On Grace Period state. The handshakeoperation is initiated, as shown in FIG. 7A, by the EASSserver 702. The EASS server 702 generates a new, noninitial password for the EASS embedded agent 704 andstores the new password in volatile memory 706. The EASSserver then sends an authorization message 708, for examplean "AUTHORIZE" message, to the EASS embedded agent704 that contains the newly generated password 710 alongwith an indication 712 that this is an AUTHORIZE message.FIG. 7B illustrates receipt of an example AUTHORIZE

message by an example EASS embedded agent. The EASSembedded agent 704 stores the newly generated password710 contained in the AUTHORIZE message 708 into avolatile memory location 714 implemented in the circuitryof the EASS embedded agent 704.

FIG. 7C illustrates sending, by an example EASS embedded agent, of an authorization confirmation message, forexample a "CONFIRM AUTHORIZJU'ION" message. TheEASS embedded agent 704 sends a CONFIRM AUTHORIZATION message 716 back to the EASS server 702 fromwhich an AUTHORIZE message was received. The CONFIRM AUTHORIZJU'ION message 716 contains the newpassword sent in the previous AUTHORIZE message by the


37/51

US 6,249,868 Bl13

EASS server 718 as well as the contents of the currentpassword register 720. The CONFIRM AUTHORIZATIONmessage confirms receipt by the EASS embedded agent 704of the AUTHORIZE message 708.

FIG. 7D illustrates receipt of the CONFIRM AUTHORIZATION message 716 by an example EASS server. TheEASS server 702 updates the current password and previouspassword 722 and 724 within the associated database 726 toreflect the contents of the CONFIRM AUTHORIZATIONmessage 716 after checking to make sure that the newpassword returned in a CONFIRM AUTHORIZXTIONmessage is identical to the in-memory copy 706 of the newpassword. If the new password contained in the CONFIRMAUTHORIZATION message is different from the new password stored in memory 706, then the handshake operationhas failed and the EASS server 702 undertakes a newhandshake operation with the EASS embedded agent 704.

14message 804. The EASS embedded agent receives theAUTHORIZE message 804 and stores the newly generatedpassword in memory 806. The EASS embedded agent 805then sends a CONFIRM AUTHORIZKI'ION message 808

5 back to the EASS server 801 containing both the newlygenerated password 810 and the contents of the currentpassword register 812. Upon receipt of the CONFIRMAUTHORIZATION message 808, the EASS server 801updates the database entries for the current and previous10 passwords 814 and 816 and then sends an OK message 818back to the EASS embedded agent 805 that contains the newpassword and the new time period 809 for which the EASSembedded agent 805 will be authorized. After sending theOK message 818, the EASS server 801 updates the database

15 to reflect the new time of authorization 820 and, upon receiptof the OK message by the embedded agent, the non-volatileregisters of the EASS embedded agent are updated to reflectthe new current password and the now previous password,822 and 824, respectively.IG. 7E illustrates sending by the EASS server of acompletion message, for example an "OK'' message, inresponse to receipt of the CONFIRM AUTHORIZATION 20message in order to complete the handshake operation. TheEASS server 702 prepares and sends an OK message 728that contains both the new password and an indication of the

time for which the EASS embedded agent 704 will beauthorized upon receipt of the OK message.

FIGS. 9A-B illustrate the recovery mechanism that isemployed by an example EASS embedded agent in the eventthat the OK message of FIGS. 8E-F was lost and notreceived by the EASS embedded agent. In this case, the timeremaining continues to decrease and the EASS embedded25 agent 902 determines from the time remaining register 904that sending of a SAVE ME message 906 is necessary toinitiate another handshake operation. Because the final OKmessage 818 is not received by the EASS embedded agent902, the values of the current password register 908 and the

FIG. 7F illustrates receipt of the OK message 728 by anexample EASS embedded agent. Once the EASS server 702has sent the OK message, the EASS server 702 updates thedatabase 726 to indicate that the client is authorized 729 aswell as to store an indication of the time 730 for which theEASS embedded agent has been authorized. At this point,the EASS server 702 has transitioned from the Knowledgeable of Agent state (504 in FIG. 5) to the Agent Authorizedstate (506 in FIG. 5). Upon receipt of the OK message 728,the EASS embedded agent 704 updates the current passwordregister 720 to reflect the new password sent to the EASSembedded agent in the original AUTHORIZE message 708after placing the contents of the current password register720 into the previous password register 732. The EASSembedded agent 704 also updates the time remaining register 734 to reflect the authorization time 736 contained inthe received OK message. At this point, the EASS embeddedagent transitions from the Initial Power-On Grace Periodstate (402 in FIG. 4) to the Authorized state (406 in FIG. 4).

If the handshake operation fails after sending of the OKmessage by the EASS server to the EASS embedded agent,but prior to reception of the OK message by the EASSembedded agent, the connection between the EASS embedded agent and the EASS server can be reestablished andauthorization reacquired by the sending by the EASSembedded agent of a SAVE ME message to the EASS server.The SAVE ME message will contain, as the currentpassword, the value that the BASS server has stored as theprevious password. From this, the EASS server can determine that the previous handshake operation failed, canupdate the database to reflect the state prior to the failedhandshake operation, and can then reinitiate a new handshake operation.

FIGS. 8A-F illustrate a second handshake operation thatfollows the original handshake operation by some period oftime less than the original authorization period. By undertaking additional handshake operations, the EASS server801 continues to initiate handshake operations to maintainthe EASS embedded agent 805 in the Authorized state (406in FIG. 4). The EASS server 801 generates a new, non-initialpassword 802 and sends this password in an AUTHORIZE

30 previous password register 910 have not been updated andare the same as the values that were established as a resultof the first authorization, as shown in FIG. 7F. However, theEASS server 912 has updated its internal database 914 toindicate the new password generated during the previous

35 handshake operation 916. Thus, the EASS server database914 does not reflect the actual state of the EASS embeddedagent 902. However, when the EASS server 912 receives theSAVE ME message 906, the EASS server 912 can immediately determine that the previous handshake operation did40 not successfully complete and can update the current password entry and the previous password entry 916 and 918 inthe associated database 914 to reflect the actual current state

of the EASS embedded agent 902. Thus, upon receipt of theSAVE ME message, the EASS server and the EASS embed-45 ded agent are again synchronized, and the EASS server caninitiate a new handshake operation to reauthorize the EASSembedded agent.

The above-illustrated and above-described state diagramsand message passing details represent one of many possible50 different embodiments of the present invention. A differentcommunications protocol with different attendant state diagrams and messages can be devised to accomplish theauthorization of EASS embedded agents by EASS servers.Depending on the communications pathways employed,55 different types of messages with different types of fields anddifferent types of header information may be employed.Moreover, the EASS embedded agent may contain additional non-volatile registers and may maintain differentvalues within the associated non-volatile registers. As one60 example, rather than passing passwords, both the EASSserver and each EASS embedded agent may contain linearfeedback registers that electronically generate passwordsfrom seed values. The communications protocols betweenthe EASS server and the EASS embedded agents could65 ensure that, during transition from the Initial Power-OnGrace Period state, the EASS embedded agent receives aninitial seed for its linear feedback register that is also used


38/51

US 6,249,868 Bl15 16

because the EASS embedded agents will power up to thePower-On Grace Period state, rather than the Initial PowerOn Grace Period state. The passwords sent to the differentEASS server will therefore not be identified as initial

by the EASS server for the EASS server's linear feedbackregister. Rather than passing passwords, both the EASSembedded agents and the EASS servers can depend ondeterministic transitions of their respective linear feedbackregisters to generate new, synchronized passwords at eachauthorization point. 5 passwords. The different EASS server rnay then notify acentralized management or administrative facility of thefraudulent attempt to connect along with the networkaddress from which the attempt was made. An attempt toconnect to the same EASS server will also fail, because the

A clever thief who has stolen a PC, who has managed todiscern the need to establish connections between EASSembedded agents and an EASS server, and who possessesthe necessary passwords to gain entry to client and serverutilities that enable a connection between an EASS clientand an EASS server to be initialized, will still fail toovercome the EASS and may, in fact, broadcast the locationand use of the stolen PC to the EASS. A different EASSserver to which a connection is attempted will immediately 15detect the attempt by the thief to connect the stolen PC to theEASS server by detecting non-initial passwords in the SAVEME message sent by the EASS embedded agent in order tosolicit a handshake operation. The reconnection attempt will

10 address of the EASS embedded agents within the PC willhave changed.

be readily discernible to a security administrator using 20utilities provided to display database contents on the EASSserver. Connection to a different EASS server will fail

Pseudo-Code ImplementationA pseudo-code example implementation of an exampleEASS server and EASS embedded agent is given below.Although the EASS embedded agent will normally beimplemented as a logic circuit, that logic circuit will implement in hardware the algorithm expressed below as pseudocode. Software and firmware implementations of the EASSembedded agent may, in addition, represent alternateembodiments of the present invention.

1 enum MSG_TYPE {AUTIIORIZE, CONFIRM_AUfHORIZE, OK, SAVJLME, DEVICE};23 enum ERRORS {QUEUED_AND_SAVE_ME, MULTIPLE_OKS_l.OST ALARM,4 CONFIRM_AU TIIORIZE_ SYNC, NO_ENTRY, QUEUE_ERROR };56 type PASSWORD;7 type ADDRESS;8 type TIME;910 canst TIME initGrace - 2:00;11 canst TIME saveMe 0:20;1213 class Error14 {15 Error (int err, ADDRESS add);161718 class DeviceMessage19 {20 Device Message ( );212223 class Device24 {25 Device ( );26 Void enable ( );27 Void disable ( );28 Void send (Device Message & dvmsg);29 Boo! receive (Device Message & dvmsg);303132 class Timer33 {34 timer (TIME t);35 void set (TIME t);363738 class Timerlnterrupt39 {40 Timerlnterrup t ( );414243 class TimeServer4445 TimeServer ( );46 TIME nextAutborizationPeriod (Address add);474849 class Messages50 {


39/51

US 6,249,868 Bl17 18

-continued51 Messages( );52 Boo! getNext ( );53 MSG_'IYPE getType ( );54 PASSWORD getNewPassword ( );55 PASSWORD getCurrentPassword ( );56 PASSWORD getPreviousPassword ( );57 TIME getTime ( );58 ADDRESS getAddress ( );59 Boo! sendAuthorize (PASSWORD npwd, ADDRESS add);60 Boo! sendConfirmAuthorize (PASSWORD npwd, PASSWORD cpwd, ADDRESS add);61 Boo! sendOK (Time t, PASSWORD npwd, ADDRESS add);62 Boo! sendSaveMe (PASSWORD cpwd, PASSWORD ppwd, ADDRESS add);636465 class AgentMessages:Messages66 {67 DeviceMessage & getDeviceMsg ( );68 Boo! sendDeviceMsg (DeviceMessage & msg);697071 class Passwords72 {73 Passwords ( );74 Boo! initia!Password (PASSWORD pwd);75 PASSWORD generateNewPassword ( );76 void queue(ADDRESS add, PASSWORD npwd, PASSWORD ppwd);77 Boo! dequeue (ADDRESS add, PASSWORD & npwd, PASSWORD & ppwd);787980 class Database81 {82 Database( );83 Boo! newAgent (ADDRESS add, PASSWORD cur, PASSWORD prev, Bod authorized,Time t);84 Boo! updateAgent (ADDRESS add, PASSWORD cur, PASSWORD prev, Boo! authorized, Time t);85 Boo! retrieveAgent (ADDRESS add, PASSWORD & cur, PASSWORD & prev, Boo! & Authorized,86 TIME & t);87 Boo! deleteAgent (ADDRESS add);888990 agent (PASSWORD current, PASSWORD previous)91 {92 PASSWORD tpwd;93 Timer time (init, Grace);94 AgentMessages msg ( );95 Device dv ( );96 DeviceMessage dvmsg ( );97 Boo! authorized - FALSE;98 Boo! enabled TRUE;99100 do101 {102 try103 {104 while (msg.getNext ( ))105 {106 switch (msg.getType ( ))107 {108 case AUTHORIZE:109 tpwd = msg.getNewPassword ( );110 msg.sendConfirrnAuthorize (tpwd, current, msg.getAddress ( ));111 break;112 caseOK:113 if (tpwd msg.getNewPassword ( ))1M {115 time.set (msg.getTime ( ) - saveMe);116 authorized -TRUE;117 previous - current;118 current tpwd;119 if (!enabled)120 {121 dv.enable ( );122 enabled TRUE;123124125 break;126 caseDEVJCE:127 if (enabled) dv.send (msg.getDeviceMsg ( ));128 break;129 default;


40/51

130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208

US 6,249,868 Bl19

-continuedbreak;

}while (dv.receive (dvmsg)){ if (enabled) msg.sendDeviceMsg (dvmsg);}}catch (Timerlnterrupt){

}else{enabled FALSE;

if (authorized){ authorized = FALSE;msg.sendSaveMe (current, previous, msg.getAddress ( ));time.set (save Me);

msg.sendSaveMe(current, previous, msg.getAddress ( ));time.set(SaveMe ;dv.disable ( ); }

server( ){ Messages msg( );PASSWORD current, previous, dcur, dprev, newp;PASSWORD queuedNew, queuedCurrent, newpass;Passwords pwds ( );TIME t;Database db ( );ADDRESS add;TimeServer ts ( );Boo! auth;while (msg.getNext ( )){ switch (msg.getType ( )){ caseSAVE_ME:current msg.getCurrentPassword ( );

previous msg.getPreviousPassword ( );if (pswds.dequeue(msg.getAddress ( ), queuedNew, queuedCurrent)){

}else

}else{

if (queuedCurrent current){

}

newp pswds.generateNewPassword ( );pswds.queue(msg.getAddress ( ), newp, current);msg.sendAuthorize(newp, msg.getAddress ( ));else throw (Error (QUEUED__AND_SAVE_ME, msg.getAddress ( ));

if (pswds.initia!Password(current) && pswds.initialPassword(previous))db.deleteAgent (msg.getAddress ( ));newp pswds.generateNewPassword ( );pswds.queue (msg.getAddress( ), newp, current);msg.sendAuthorize(newp, msg.getAddress ( ));

if (db.retrieveAgent (msg.getAddress ( ), dcur, dprev, auth,tm){if (dcur = current && tm >= getSystemTime ( )){

}

newp-pswds.generateNewPassword ( );pswds.queue(msg.getAddress ( ), newp, current)msg.sendAuthorize(newp, msg.getAddress ( ));else if ( dprev = current && tm > getSystemTime ( )){ msg.sendOK (ts.nextAuthorizationPeriod(msg.getAddress ( ),

20


41/51

209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262

US 6,249,868 Bl21

-continueddcur, msg.getAddress ( ));}

else if (dprev -- current && tm < getSystemTime ( )){ throw (Error (MULTIPLE_OKS_LOST, msg.getAddress ( ));}else throw (Error (ALARM, msg.getAddress ( ));}else throw (Error (ALARM, msg.getAddress ( ));}

case CONFIRM_AUTIIORJZE:newpass = msg.getNewPassword ( ),current - msg.getCurrentPassword ( );if(paswds.dequeue (msg.getAddress ( ), queuedNew, queuedCurrent)){ if(newpass =- queuedNew && current == queuedCurrent){

if (db,retrieveAgent(msg.getAddress ( ), dcur,dprev,auth,tm)){

}

if (dcur ==current){tm = ts.nextAuthonzationPeriod(msg.getAddress ( ));

db.updateAgent(msg.getAddress ( ),newpass,current,tm + getSystemTime ( ));

}else{

}else{

msg.SendOK (tm, newpass, msg.getAddress ( ));

throw (Error (CONFIRM_AUTIIORIZE_SYNC,msg.getAddress ( ));

if(pswds.initialPassword (current)){

}

tm - ts.nextAuthorizationPeriod (msg.getAddress ( ));db.newAgent(msg.getAddress ( ),newpass,current,

tm + getsystemTime ( ));msg.sendOK(tm, newpass, msg.getAddress ( ));

else throw(Error(NO_ENTRY, msg.getAddress ( )));}}else throw (Error (QUEUE_ERROR, msg.getAddress( )));

else throw (Error (ALARM, msg.getAddress ( ));break;

default;break;

22

Lines 1-11 of the above program include definitions ofconstants and types used in the remaining lines of theprogram. Line 1 defines the enumeration MSG_TYPE thatincludes five enumerated constants to describe the fivedifferent types of messages used to implement the EASS.These types of messages include the AUTHORIZE, CONFIRM AUTHORIZE, OK, and SAVE ME messagesdescribed in FIGS. 6A-B and 7A-F, as well as DEVICEmessages which are exchanged between the CPU (214 inFIG. 2) and the device controllers (242, 244, 246, 248, and250 in FIG. 2) via the system controller (218 in FIG. 2) andvia any EASS embedded agents residing in the devicecontrollers. On lines 3 and 4, an enumeration is declared forvarious types of errors and potentially insecure conditionsthat may arise during operationof both the EASS server andEASS embedded agents. These errors and conditions will bedescribed below in the contexts within which they arise. Onlines 6-8, three basic types used throughout the implementation are declared. These types may be implemented either

using predefined types, such as integers and floating point50 numbers, or may be more elaborately defined in terms ofclasses. These types include: (1) PASSWORD, a consecutive number of bits large enough to express internal passwords used within the EASS, commonly 56, 64, or 128 bits;(2) ADDRESS, a number of consecutive bits large enough to55 hold communications addresses for EASS servers and EASSembedded agents; and (3) TIME, a time value expressed inhours, minutes and seconds, possibly also including a dateand year. On lines 10 and 11, the constants "interface" and"saveMe" are defined to be two minutes and 20 seconds,60 respectively. The constant "interface" is the initial graceperiod following power up during which an EASS embedded agent passes device messages to and from the devicecontroller into which it is embedded without authorization.The constant "saveMe" is the interval at which an EASS65 embedded agent sends SAVE ME messages to an EASSserver in order to reestablish authorization. In an alternativeembodiment, both the initial grace period and the SAVE ME


42/51

US 6,249,868 Bl23

interval may be configurable by a user, by the EASS server,by an administrator, or by some combination of users, EASSservers, and administrators.On lines 13-88, a number of classes are declared that areused in the routines "agent" and "server" that follow. Prototypes for these classes are given, but the implementationsof the methods are not shown. These implementations arequite dependent on the specific computer hardware

platforms, operating systems, and communications protocols employed to implement the EASS. Much of the implementations of certain of these classes may be directlyprovided through operating system calls. The class Error,declared on lines 13-16, is a simple error reporting classused in the server routine for exception handling. Only theconstructor for this class is shown on line 15. An instance ofthis class is initialized through the arguments passed to theconstructor. These include an integer value representing theparticular error that has been identified and an address valuethat indicates the network or communications address of theEASS embedded agent that the error relates to.

24getNext makes that next message the current message fromwhich information can be obtained by calling the methodsdeclared on lines 53-58. These methods allow for obtainingthe type of the message, the address of the sender of the

5 message, and the contents of the message, depending on thetype of the message, including new passwords, currentpasswords, previous passwords, and authorization times.The methods "sendauthorize" and "sendOK" declared onlines 59 and 61 are used in the server routine to send10 AUTHORIZE and OK messages to EASS embedded agents,respectively. The methods "sendConfirmAuthorize" and"sendSaveMe" declared on lines 60 and 62 are used in theagent routine to send CONFIRM AUTHORIZE and SAVEME messages to an EASS server, respectively. The class

15 "AgentMessages," declared on lines 65-69, derived fromthe class "Messages," allows an EASS embedded agent tocommunicate both with an EASS server as well as with theCPU. In other words, the two methods "getDeviceMsg" and"sendDeviceMsg," declared on lines 67-68, allow an EASS20 embedded agent to intercept device messages sent by theCPU to the device controller in which the EASS embeddedhe class DeviceMessage, declared on lines 18-21,encapsulates methods and data that implement the variouskinds of device messages exchanged between the CPU and

the device controllers of a PC. The methods and data for thisclass depend on the types of communications buses 25employed within the PC and are, therefore, not furtherspecified in this example program. The class Device,declared on lines 23-30, represents the functionality of thedevice controller within which an EASS embedded agent isembedded. In general, the methods shown for this class 30would be implemented as hardware logic circuits. Themethods include optional methods for enabling and disabling the device declared on lines 26 and 27, a method forsending device messages to the device, declared on line 28,and a method for receiving device messages from the device, 35declared on line 29.

agent is embedded and to pass device messages from thedevice controller back to the CPU.The class Passwords, declared on lines 71-78, is usedwithin the server routine for queuing certain passwordinformation as well as for generating passwords and determining whether a password is an initial password. Themethod "initialPassword," declared on line 74, takes apassword as an argument and returns a Boolean valueindicating whether the password is an initial password ornot. The method "generateNewPassword," declared on lines75, generates a new, non-initial password to pass to an EASSembedded agent as part of an AUTHORIZE message. Amore sophisticated implementation of generateNewPassword might use an

Documents

Softvault Systems v. Symantec