WO2013113399A1 - A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system - Google Patents

A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system Download PDF

Info

Publication number
WO2013113399A1
WO2013113399A1 PCT/EP2012/051861 EP2012051861W WO2013113399A1 WO 2013113399 A1 WO2013113399 A1 WO 2013113399A1 EP 2012051861 W EP2012051861 W EP 2012051861W WO 2013113399 A1 WO2013113399 A1 WO 2013113399A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
multimedia resource
input multimedia
computer system
authorized
Prior art date
Application number
PCT/EP2012/051861
Other languages
French (fr)
Inventor
Iñaki URZAY
Original Assignee
Lockyourwebcam, S. L.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lockyourwebcam, S. L. filed Critical Lockyourwebcam, S. L.
Priority to PCT/EP2012/051861 priority Critical patent/WO2013113399A1/en
Publication of WO2013113399A1 publication Critical patent/WO2013113399A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • a method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system The present invention relates to a method of controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system.
  • the invention also relates to a system and a computer program product suitable for carrying out such a method.
  • a computer program may check a local or remote request for accessing to video and audio resources and it may "lock” resources in case that the request does not comply with the security criteria of the computer program. Resources may be "unlocked” by the "administrator" of the system.
  • the present invention aims to provide a method and a system that solve at least partly the above-mentioned drawbacks.
  • the invention provides a method for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, the method comprising:
  • a request of accessing the input multimedia resource may be dispatched by a software application or by another type of process running on the operating system and which requests accessing to input multimedia resource associated to the computer system in which the operating system is running.
  • This request may be associated with a running process of the operating system which in general it may be a device driver or with a process launched by the operating system in relation to the mentioned request.
  • This process may attempt to access the input multimedia resource in order to fulfil the request for accessing input multimedia resource.
  • the detection of the attempt of the process used by the operating system to access the input multimedia resource may be carried out for example by detecting and identifying the commands transmitted in the communication between the operating system and the input multimedia resource.
  • the attempt of the process may be intercepted and detected.
  • the authorized user verifies whether the detected process has the permission to access the input multimedia resource.
  • the authorized user is a user with rights to allow or block the attempt of the process to access the input multimedia resource and it may be the real administrator of the computer system or not.
  • the method may be carried out independently if the user may know or not the software application or initial process which dispatched the request for accessing input multimedia resource. It may be possible to configure the method to always detect the attempts of a specific process.
  • the process may get access to the input multimedia resource.
  • the communication between the operating system and the input multimedia resource may be completed and therefore, allowing the process to have access to the input multimedia resource and thus, fulfilling the request from the software application running on the operating system.
  • the attempt of the process to access input multimedia resource may be blocked.
  • the communication between the operating system and the input multimedia resource is not completed and therefore, the process used by the operating system may not have access to the input multimedia resource and in consequence, the request from the application running on the operating system is rejected.
  • the first aspect of the present application suggests that the authorized user may be involved in each attempt of a process to access input multimedia resource associated with the computer system. This fact may permit that the authorized user may be aware of the use of input multimedia resource associated to the computer system increasing the security, the reliability of the system and protecting the privacy of the user.
  • the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
  • the authorized user may be requested for a response related to the authorization of the process to access the input multimedia resource.
  • This request may be a user interface pop-up window which may be displayed when the authorization from the user is required.
  • This authorization may be required in order to permit the process used by the operating system to access the input multimedia resource.
  • the request about if the process is authorized to access the input multimedia resource may be transmitted to a second computer system established by the authorized user.
  • the response of the authorized user may be received from the second computer system independent to the computer system in which the process attempting to access input multimedia resource is running. Similarly, the response of the authorized user may be received from the same computer system.
  • the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
  • Validating the requested identification parameter In addition to requesting to the authorized user about if the process may be authorized to access the input multimedia resource or not it may be possible to request the user for an identification parameter in order to prove his identity.
  • This identification parameter from the authorized user may be received from the second computer system, or from the main computer system, before its validation.
  • the step of detecting the attempt of the process to access the input multimedia resource comprises:
  • the interception mechanism may operate at different levels. In one embodiment of the present application, the interception mechanism may operate at the connection port level.
  • the communications between the operating system and the input multimedia resource through a communication channel are filtered.
  • One example could be an input multimedia resource connected to the computer system which runs the operating system via a USB connection port.
  • the step of detecting the attempt of the process to access the input multimedia resource comprises:
  • the interception mechanism may operate at different levels.
  • the interception mechanism may operate at the application programming interface (API) level.
  • API application programming interface
  • One example could be the filtering of some of specifications comprised within the API required by the operating system for the suitable use of the input multimedia resource.
  • a visual notification may be displayed on the screen of the computer system in order to indicate that the input multimedia resource is being accessed by a process running in the operating system.
  • a computer program product comprising program instructions for causing a computer to perform a method for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system.
  • the computer program product may be embodied on a storage medium.
  • the computer program product may be carried on a carrier signal.
  • a computer system comprising:
  • a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system comprising: • Computer means for intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
  • the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
  • the request to the authorized user for authorization may be dispatched from the computer system in which the operating system is running and it may be transmitted to a second computer system.
  • the response to the request may be received from the second computer system.
  • the second computer system may be located in a remote location in which the authorized user receives the request through the second computer.
  • the second computer may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA. Thus, it may not be required that the authorized user shares the same physical location as the computer system.
  • the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
  • the request to the authorized user for an identification parameter or password may be dispatched from the computer system in which the operating system is running and received at a second computer system.
  • the response to the request may be received from the second computer system.
  • the second computer may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA.
  • the validation may be performed in the computer system in which the operating system is running.
  • the second computer system is the same computer system.
  • the second computer system may be the computer system in which the operating system is running.
  • the authorized user and the computer system may share the same physical location.
  • the second computer system is a remote computer system.
  • the second computer system may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA. Thus, it may not be required that the authorized user shares the same physical location as the computer system.
  • the input multimedia resource is selected from at least one of the following resources:
  • a video capturing device may be a webcam or a device capable of capturing video images.
  • An audio capturing device may be a microphone or a device capable of recording audio. Additional objects, advantages and features of embodiments of the invention will become apparent to those skilled in the art upon examination of the description, or may be learned by practice of the invention.
  • Figure 1 shows a flux diagram which represents the steps of a method of an embodiment of the present application.
  • Figure 1 is a flux diagram which represents a possible embodiment of the method of the present application, and it shows a plurality of steps i.e. step 101 is the beginning of the method, step 102 intercepts a channel of the operating system through which a process attempts to access an input multimedia resource, step 103 detects the attempt of the process to access the input multimedia resource, step 104 verifies if the process is authorized by an authorized user of the computer system to access the input multimedia resource, step 105 allows the process to access the input multimedia resource, step 106 blocks the attempt of the process to access the input multimedia resource and step 107 is the end of the process. It must be noted that the detailed method is continuously running in the operating system in order to detect any attempt of a process to access the input multimedia resource.
  • Step 102 comprises intercepting a channel of the operating system through which any process attempts to access the input multimedia resource (video capturing and/or audio capturing device).
  • a software application or another type of process running on an operating system of a computer system requests to access to an input multimedia resource.
  • the operating system receives this request from the software application program and in response, a running process (in another implementation it could be a process launched ex profeso by the operating system) attempts to establish the communication with the input multimedia resource.
  • the video capturing device is connected to the computer system via a data transfer port which is a USB port.
  • the audio capturing device is also connected via a USB port.
  • Other ports could be used to connect the multimedia devices to the computer system as firewire, PCI and parallel or serial buses.
  • step 103 the method detects the attempt of the process to access to the video capturing device and the audio capturing device.
  • Step 104 carries out the verification of the process detected in previous step. 103.
  • the verification is carried out by requesting to an authorized user a response about if the intercepted process is authorized or not to access to the video capturing and the audio capturing devices.
  • the authorized user can receive this request through the computer system which comprises the operating system in which the process is running or through a computer of a remote location, a Smart phone or a PDA for example.
  • step 105 the video and audio capturing devices are accessed by the detected process in case that this process has been authorized by the authorized user.
  • step 106 the attempt of the process for accessing to the video and audio capturing devices is blocked due to the process did not get the authorization from the authorized user. In this situation, the process may be running without having accessed to the input multimedia resource.
  • the method may store upon request, the negative or positive response (granted or denied authorization) from the authorized user in order to automatically block or permit a future attempt of the process to access the input multimedia resource.
  • Step 107 is the end of the method of the present embodiment and as well as the Step 101 , both steps are symbolic because the method is continuously running in the operating system.
  • the operating system is Microsoft Windows
  • the input multimedia resource is a webcam connected to the computer system via a USB port
  • the software application which requests the access to the webcam is Skype.
  • Step 102 intercepts a channel of the operating system through which a process of a device driver running on the operating system attempts to get access to the webcam.
  • the device driver was loaded in the operating system when the webcam device was detected by the Plug-and-Play device which detects that a new element was connected to the computer system via the USB port.
  • the instructions and commands required to control the device are loaded in the operating system.
  • Skype requests the access to the webcam device and to achieve this, it uses a communication channel I/O control to establish communication with the device driver in order to get access to the webcam device.
  • the interception of this process of the device driver may be carried out at different levels (at user level by means of an API hooking, at video stream driver level, or at USB level).
  • the interception is carried out by using a Microsoft Windows filter driver which intercepts the communications through a channel at connection port level between the operating system and the webcam device connected via the USB port.
  • a filter driver is a type of driver inserted into the existing device driver stack.
  • the task of the filter driver is to identify the USB commands transmitted during the communication between the operating system and the webcam in order to detect the attempt of the process for accessing the webcam device in step 103.
  • the USB commands can be e.g. initializing commands, capturing video transmission commands, closing commands, etc.
  • Another possible way to detect the attempt of a process which tries to get access of a video capturing device could be for example the detection in upper layers of the operating system i.e. referring to the application programming interface (API).
  • API application programming interface
  • API's Microsoft Windows has been considerable in the recent years but Microsoft still keeps compatibilities with "old" API's as for example with VFW (video for Windows).
  • VFW video for Windows
  • the current API is DirectShow which is part of DirectX.
  • detecting the attempt of a process to access to input multimedia resource could be for example by means of a DLL proxy or by detecting the API COM used by DirectShow with the Microsoft Detours library, etc.
  • an upper class filter driver or similar is used.
  • the detection of the attempt of the process could be carried out by taking use of the API for video capturing which is implemented with drivers for video e.g. AVStreamupperclassfilter driver.
  • the API specifications for capturing video routines, data structures, object classes, etc.
  • the step 104 verifies if the process is authorized to access to the webcam.
  • the filter driver detects and identifies the commands transmitted during the communication established between the application and the webcam device. For example, the filter driver identifies a command from the process running on the operating system which orders the webcam to start capturing video images. This command is considered as an attempt of the process to access to the webcam device and therefore, the process is intercepted.
  • the authorized user is requested to provide a response about if he authorizes the intercepted process to take control of the webcam and in order to satisfy this request, the user may introduce a personal password, if configured in that way, as identification parameter before authorized or not the intercepted process.
  • step 105 once the password has been verified, if the authorized user authorizes the process to access the webcam, the filter driver passes the intercepted command of the previous step to the existing device driver which manages the communication between the operating system and the webcam.
  • the existing device driver will receive the intercepted command from the filter driver in order to complete the communication permitting the process to access to the webcam and thus, fulfilling the request of accessing the webcam dispatched by the Skype application.
  • step 106 if the authorized user does not authorize the process to access the webcam, the filter driver blocks the intercepted command.
  • the existing device driver will not receive the intercepted command from the filter driver and the communication between the operating system and the webcam will be aborted. In this case, the request of accessing the webcam dispatched by Skype will be denied.
  • the method will keep running in order to detect new attempts of processes triggered by program applications requesting input multimedia resource.
  • the carrier may comprise a storage medium, such as a ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example a floppy disc or hard disk.
  • a storage medium such as a ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example a floppy disc or hard disk.
  • the carrier may be a transmissible carrier such as an electrical or optical signal, which may be conveyed via electrical or optical cable or by radio or other means.
  • the carrier may be constituted by such cable or other device or means.
  • the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant processes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

Method and system of controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system. The method comprising: Intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource; detecting the attempt of a process to access the input multimedia resource; verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource; in case of a positive result, allowing the process to access the input multimedia resource and in case of a negative result, blocking the attempt of the process to access the input multimedia resource.

Description

A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system The present invention relates to a method of controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system.
The invention also relates to a system and a computer program product suitable for carrying out such a method.
BACKGROUND ART
Nowadays, due to the advance of technology, devices for capturing video and audio transmission for multimedia experiences (i.e. webcam, microphone, etc.) are more and more common in electronic systems as general-purpose computers (PC, Laptop, Netbook, etc.) and mobile devices (Smartphone's, PDA, etc.). These devices may be provided in an embedded form or as external hardware that is detected by the computers and mobile devices operating systems, prior operation.
Due to the increase in the market of these type of devices for video and audio transmission and the increase of "malicious software" known as "malware", it is desired a solution to control the access to these types of devices and resources. This solution could be achieved by being aware of which application attempts to use which input multimedia device. In this respect, it might be regarded which user is using the system in order to provide different system configurations to guarantee the security and privacy of the users (minor children in some cases) and the whole system. Furthermore, the verification should be made by an "authority" that provides the permission required for accessing video and audio resources. In the recent prior art, solutions have been addressed to control the access of video and audio resources, as e.g. by detecting the attempts of processes for accessing video and audio resources by analyzing whether theses attempts are carried out by "malware" which triggers a process to take over video and audio resources.
In another solution, a computer program may check a local or remote request for accessing to video and audio resources and it may "lock" resources in case that the request does not comply with the security criteria of the computer program. Resources may be "unlocked" by the "administrator" of the system.
Alternative solutions permit an "authority" to configure a computer program associated to audio and video resources. Thus, based on the customized configuration of the computer program, it is possible to restrict and manage the use of these resources by a third party.
The solutions above-mentioned although acceptable, have the drawback that they do not consider that an authority (that could be a human being instead of a computer program) verifies and accepts or denies the requests from a third party for accessing audio and video resources in real time. Computer programs may fail, may be corrupted or may take an erroneous decision and they cannot make difference between adult and minors in contrast to a human authority. Thus, a better solution is desired.
The present invention aims to provide a method and a system that solve at least partly the above-mentioned drawbacks.
SUMMARY OF THE INVENTION
In a first aspect, the invention provides a method for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, the method comprising:
• Intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
• Detecting the attempt of the process to access the input multimedia resource;
• Verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
• In case of a positive result, allowing the process to access the input multimedia resource;
• In case of a negative result, blocking the attempt of the process to access the input multimedia resource. A request of accessing the input multimedia resource may be dispatched by a software application or by another type of process running on the operating system and which requests accessing to input multimedia resource associated to the computer system in which the operating system is running. This request may be associated with a running process of the operating system which in general it may be a device driver or with a process launched by the operating system in relation to the mentioned request.
This process may attempt to access the input multimedia resource in order to fulfil the request for accessing input multimedia resource.
Once the channel or channels of the operating system through which any process attempts to access the input multimedia resource are intercepted, the detection of the attempt of the process used by the operating system to access the input multimedia resource may be carried out for example by detecting and identifying the commands transmitted in the communication between the operating system and the input multimedia resource. Thus, the attempt of the process may be intercepted and detected.
In order to carry out the verification, the authorized user verifies whether the detected process has the permission to access the input multimedia resource. The authorized user is a user with rights to allow or block the attempt of the process to access the input multimedia resource and it may be the real administrator of the computer system or not. The method may be carried out independently if the user may know or not the software application or initial process which dispatched the request for accessing input multimedia resource. It may be possible to configure the method to always detect the attempts of a specific process.
In case the authorized user grants the authorization, the process may get access to the input multimedia resource. In this respect, the communication between the operating system and the input multimedia resource may be completed and therefore, allowing the process to have access to the input multimedia resource and thus, fulfilling the request from the software application running on the operating system.
In case the authorized user denies the authorization, the attempt of the process to access input multimedia resource may be blocked. In this respect, due to the negative response of the authorized user, the communication between the operating system and the input multimedia resource is not completed and therefore, the process used by the operating system may not have access to the input multimedia resource and in consequence, the request from the application running on the operating system is rejected.
Thus, the first aspect of the present application suggests that the authorized user may be involved in each attempt of a process to access input multimedia resource associated with the computer system. This fact may permit that the authorized user may be aware of the use of input multimedia resource associated to the computer system increasing the security, the reliability of the system and protecting the privacy of the user.
According to another embodiment, the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Transmitting a request about if the process is authorized to access the input multimedia resource to a second computer system established by the authorized user;
· Receiving the response of the authorized user, from the second computer system, about if the process is authorized to access the input multimedia resource.
The authorized user may be requested for a response related to the authorization of the process to access the input multimedia resource. This request may be a user interface pop-up window which may be displayed when the authorization from the user is required. This authorization may be required in order to permit the process used by the operating system to access the input multimedia resource.
The request about if the process is authorized to access the input multimedia resource may be transmitted to a second computer system established by the authorized user. The response of the authorized user may be received from the second computer system independent to the computer system in which the process attempting to access input multimedia resource is running. Similarly, the response of the authorized user may be received from the same computer system. According to another embodiment, the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
Requesting an identification parameter of the authorized user;
Receiving, from the second computer system, the identification parameter from the authorized user;
Validating the requested identification parameter. In addition to requesting to the authorized user about if the process may be authorized to access the input multimedia resource or not it may be possible to request the user for an identification parameter in order to prove his identity. This identification parameter from the authorized user may be received from the second computer system, or from the main computer system, before its validation.
In another embodiment, the step of detecting the attempt of the process to access the input multimedia resource comprises:
• Filtering the communications at connection port level between the operating system running on the computer system and the input multimedia resource associated to the computer system.
The interception mechanism may operate at different levels. In one embodiment of the present application, the interception mechanism may operate at the connection port level. The communications between the operating system and the input multimedia resource through a communication channel are filtered. One example could be an input multimedia resource connected to the computer system which runs the operating system via a USB connection port. The USB commands identified in order to detect the attempt of a process to access the input multimedia resource. In another embodiment, the step of detecting the attempt of the process to access the input multimedia resource comprises:
• Filtering or hooking into a plurality of specifications provided by an API of the operating system, wherein said specifications are required for accessing the input multimedia resource.
The interception mechanism may operate at different levels. In one embodiment of the present application, the interception mechanism may operate at the application programming interface (API) level. One example could be the filtering of some of specifications comprised within the API required by the operating system for the suitable use of the input multimedia resource.
In another embodiment, in case of a positive result in the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource:
• Displaying a visual notification indicating that the process is accessing the input multimedia resource. A visual notification may be displayed on the screen of the computer system in order to indicate that the input multimedia resource is being accessed by a process running in the operating system.
In another embodiment, in case of a negative result in the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource:
• Displaying a visual notification indicating that the attempt of the process to access to the input multimedia resource has been blocked. A visual notification may be displayed on the screen of the computer system in order to indicate that the process used by the operating system did not access the input multimedia resource. In another embodiment, it is suggested a computer program product comprising program instructions for causing a computer to perform a method for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system. The computer program product may be embodied on a storage medium. The computer program product may be carried on a carrier signal.
According to a second aspect of the invention, it is suggested a computer system comprising:
• a memory and a processor, embodying instructions stored in the memory and executable by the processor, the instructions comprising functionality to:
o Intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
o Detecting the attempt of a process to access the input multimedia resource;
o Verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
o In case of a positive result, allowing the process to access the input multimedia resource;
o In case of negative result, blocking the attempt of the process to access the input multimedia resource.
According to a third aspect of the invention, it is suggested a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, the system comprising: • Computer means for intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
• Computer means for detecting the attempt of the process to access the input multimedia resource;
• Computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
• Computer means for allowing the process to access the input multimedia resource;
• Computer means for blocking the attempt of the process to access the input multimedia resource.
In another embodiment, the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Computer means for transmitting a request about if the process is authorized to access the input multimedia resource to a second computer system established by the authorized user;
· Computer means for receiving the response of the authorized user, from the second computer system, about if the process is authorized to access the input multimedia resource.
The request to the authorized user for authorization may be dispatched from the computer system in which the operating system is running and it may be transmitted to a second computer system. The response to the request may be received from the second computer system. The second computer system may be located in a remote location in which the authorized user receives the request through the second computer. The second computer may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA. Thus, it may not be required that the authorized user shares the same physical location as the computer system. In another embodiment, the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Computer means for requesting, an identification parameter of the authorized user;
• Computer means for receiving, from the second computer system, the identification parameter from the authorized user;
· Computer means for validating the requested identification parameter.
The request to the authorized user for an identification parameter or password may be dispatched from the computer system in which the operating system is running and received at a second computer system. The response to the request may be received from the second computer system. The second computer may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA.
The validation may be performed in the computer system in which the operating system is running.
In another embodiment, the second computer system is the same computer system. The second computer system may be the computer system in which the operating system is running. Thus, the authorized user and the computer system may share the same physical location.
In another embodiment, the second computer system is a remote computer system. The second computer system may be for example a personal computer or a mobile device connected to a data network as a Smart phone or PDA. Thus, it may not be required that the authorized user shares the same physical location as the computer system. In another embodiment, the input multimedia resource is selected from at least one of the following resources:
- A video capturing device;
- An audio capturing device;
A video capturing device may be a webcam or a device capable of capturing video images.
An audio capturing device may be a microphone or a device capable of recording audio. Additional objects, advantages and features of embodiments of the invention will become apparent to those skilled in the art upon examination of the description, or may be learned by practice of the invention.
Throughout the description and claims the word "comprise" and variations of the word, are not intended to exclude other technical features, additives, components, or steps. Additional objects, advantages and features of the invention will become apparent to those skilled in the art upon examination of the description or may be learned by practice of the invention. The following examples and drawings are provided by way of illustration, and they are not intended to be limiting of the present invention. Reference signs related to drawings and placed in parentheses in a claim, are solely for attempting to increase the intelligibility of the claim, and shall not be construed as limiting the scope of the claim. Furthermore, the present invention covers all possible combinations of particular and preferred embodiments described herein.
BRIEF DESCRIPTION OF THE DRAWINGS
Particular embodiments of the present invention will be described in the following by way of non-limiting examples, with reference to the appended drawing, in which:
Figure 1 shows a flux diagram which represents the steps of a method of an embodiment of the present application.
DETAILED DESCRIPTION OF EMBODIMENTS In the following descriptions, numerous specific details are set forth in order to provide a thorough understanding of the present invention. It will be understood by one skilled in the art, however, that the present invention may be practiced without some or all of these specific details. In other instances, well known elements have not been described in detail in order not to unnecessarily obscure the description of the present invention.
Figure 1 is a flux diagram which represents a possible embodiment of the method of the present application, and it shows a plurality of steps i.e. step 101 is the beginning of the method, step 102 intercepts a channel of the operating system through which a process attempts to access an input multimedia resource, step 103 detects the attempt of the process to access the input multimedia resource, step 104 verifies if the process is authorized by an authorized user of the computer system to access the input multimedia resource, step 105 allows the process to access the input multimedia resource, step 106 blocks the attempt of the process to access the input multimedia resource and step 107 is the end of the process. It must be noted that the detailed method is continuously running in the operating system in order to detect any attempt of a process to access the input multimedia resource.
Step 102 comprises intercepting a channel of the operating system through which any process attempts to access the input multimedia resource (video capturing and/or audio capturing device). A software application or another type of process running on an operating system of a computer system requests to access to an input multimedia resource. The operating system receives this request from the software application program and in response, a running process (in another implementation it could be a process launched ex profeso by the operating system) attempts to establish the communication with the input multimedia resource. The video capturing device is connected to the computer system via a data transfer port which is a USB port. The audio capturing device is also connected via a USB port. Other ports could be used to connect the multimedia devices to the computer system as firewire, PCI and parallel or serial buses.
In step 103 the method detects the attempt of the process to access to the video capturing device and the audio capturing device.
Step 104 carries out the verification of the process detected in previous step. 103. The verification is carried out by requesting to an authorized user a response about if the intercepted process is authorized or not to access to the video capturing and the audio capturing devices. The authorized user can receive this request through the computer system which comprises the operating system in which the process is running or through a computer of a remote location, a Smart phone or a PDA for example.
In step 105, the video and audio capturing devices are accessed by the detected process in case that this process has been authorized by the authorized user.
In step 106, the attempt of the process for accessing to the video and audio capturing devices is blocked due to the process did not get the authorization from the authorized user. In this situation, the process may be running without having accessed to the input multimedia resource.
In another possible implementation, the method may store upon request, the negative or positive response (granted or denied authorization) from the authorized user in order to automatically block or permit a future attempt of the process to access the input multimedia resource. Step 107 is the end of the method of the present embodiment and as well as the Step 101 , both steps are symbolic because the method is continuously running in the operating system. A particularization of the already-mentioned method of the present embodiment is detailed for the case that the operating system is Microsoft Windows, the input multimedia resource is a webcam connected to the computer system via a USB port and the software application which requests the access to the webcam is Skype.
Step 102 intercepts a channel of the operating system through which a process of a device driver running on the operating system attempts to get access to the webcam. The device driver was loaded in the operating system when the webcam device was detected by the Plug-and-Play device which detects that a new element was connected to the computer system via the USB port. Once the webcam device is detected, the instructions and commands required to control the device are loaded in the operating system. Skype requests the access to the webcam device and to achieve this, it uses a communication channel I/O control to establish communication with the device driver in order to get access to the webcam device. The interception of this process of the device driver may be carried out at different levels (at user level by means of an API hooking, at video stream driver level, or at USB level). For this particularization, the interception is carried out by using a Microsoft Windows filter driver which intercepts the communications through a channel at connection port level between the operating system and the webcam device connected via the USB port. A filter driver is a type of driver inserted into the existing device driver stack. The task of the filter driver is to identify the USB commands transmitted during the communication between the operating system and the webcam in order to detect the attempt of the process for accessing the webcam device in step 103. The USB commands can be e.g. initializing commands, capturing video transmission commands, closing commands, etc. Another possible way to detect the attempt of a process which tries to get access of a video capturing device could be for example the detection in upper layers of the operating system i.e. referring to the application programming interface (API). The evolution of API's Microsoft Windows has been considerable in the recent years but Microsoft still keeps compatibilities with "old" API's as for example with VFW (video for Windows). Nowadays, the current API is DirectShow which is part of DirectX. In this case detecting the attempt of a process to access to input multimedia resource could be for example by means of a DLL proxy or by detecting the API COM used by DirectShow with the Microsoft Detours library, etc.
In a third way, an upper class filter driver or similar is used. Thus, the detection of the attempt of the process could be carried out by taking use of the API for video capturing which is implemented with drivers for video e.g. AVStreamupperclassfilter driver. Thus, by filtering the API specifications for capturing video (routines, data structures, object classes, etc.) it is possible to detect and identify a plurality of commands as e.g. commands for initialization, booting, beginning of the transmission, closing, etc. transmitted between the operating system and the webcam device and therefore, the attempt of a process to access to the webcam could be detected.
The step 104 verifies if the process is authorized to access to the webcam. As explained before, the filter driver detects and identifies the commands transmitted during the communication established between the application and the webcam device. For example, the filter driver identifies a command from the process running on the operating system which orders the webcam to start capturing video images. This command is considered as an attempt of the process to access to the webcam device and therefore, the process is intercepted. Next, the authorized user is requested to provide a response about if he authorizes the intercepted process to take control of the webcam and in order to satisfy this request, the user may introduce a personal password, if configured in that way, as identification parameter before authorized or not the intercepted process.
In step 105, once the password has been verified, if the authorized user authorizes the process to access the webcam, the filter driver passes the intercepted command of the previous step to the existing device driver which manages the communication between the operating system and the webcam. The existing device driver will receive the intercepted command from the filter driver in order to complete the communication permitting the process to access to the webcam and thus, fulfilling the request of accessing the webcam dispatched by the Skype application.
In step 106, if the authorized user does not authorize the process to access the webcam, the filter driver blocks the intercepted command. The existing device driver will not receive the intercepted command from the filter driver and the communication between the operating system and the webcam will be aborted. In this case, the request of accessing the webcam dispatched by Skype will be denied. Next, the method will keep running in order to detect new attempts of processes triggered by program applications requesting input multimedia resource.
Although only a number of particular embodiments and examples of the invention have been disclosed herein, it will be understood by those skilled in the art that other alternative embodiments and/or uses of the invention and obvious modifications and equivalents thereof are possible. Furthermore, the present invention covers all possible combinations of the particular embodiments described. Thus, the scope of the present invention should not be limited by particular embodiments, but should be determined only by a fair reading of the claims that follow. Further, although the embodiments of the invention described with reference to the drawings comprise computer apparatus and processes performed in computer apparatus, the invention also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the invention into practice. The program may be in the form of source code, object code, a code intermediate source and object code such as in partially compiled form, or in any other form suitable for use in the implementation of the processes according to the invention. The carrier may be any entity or device capable of carrying the program.
For example, the carrier may comprise a storage medium, such as a ROM, for example a CD ROM or a semiconductor ROM, or a magnetic recording medium, for example a floppy disc or hard disk. Further, the carrier may be a transmissible carrier such as an electrical or optical signal, which may be conveyed via electrical or optical cable or by radio or other means.
When the program is embodied in a signal that may be conveyed directly by a cable or other device or means, the carrier may be constituted by such cable or other device or means.
Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant processes.

Claims

1 . A method of controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, the method comprising:
• Intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
• Detecting the attempt of the process to access the input multimedia resource;
• Verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
• In case of a positive result, allowing the process to access the input multimedia resource;
• In case of a negative result, blocking the attempt of the process to access the input multimedia resource.
2. The method according to claim 1 , wherein verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Transmitting a request about if the process is authorized to access the input multimedia resource to a second computer system established by the authorized user;
• Receiving the response of the authorized user, from the second computer system, about if the process is authorized to access the input multimedia resource.
3. The method according to claim 2, wherein verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Requesting an identification parameter of the authorized user; • Receiving, from the second computer system, the identification parameter from the authorized user;
• Validating the requested identification parameter.
4. The method according to any of claims 1 to 3, wherein detecting the attempt of the process to access the input multimedia resource comprises: • Filtering the communications at connection port level between the operating system running on the computer system and the input multimedia resource associated to the computer system.
5. The method according to any of claims 1 to 3, wherein detecting the attempt of the process to access the input multimedia resource comprises: • Filtering or hooking into a plurality of specifications provided by an API of the operating system, wherein said specifications are required for accessing the input multimedia resource.
6. The method according to any of claims 1 to 5, further comprising, in case of a positive result in the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource:
• Displaying a visual notification indicating that the process is accessing the input multimedia resource.
7. The method according to any of claims 1 to 5, further comprising, in case of a negative result in the step of verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource:
• Displaying a visual notification indicating that the attempt of the process to access to the input multimedia resource has been blocked.
8. A computer program product comprising program instructions for causing a computer to perform a method for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, said method according to any of claims 1 to 7.
9. Computer program product according to claim 8, embodied on a storage medium.
10. Computer program product according to claim 8, carried on a carrier signal.
1 1 . A computer system comprising:
• a memory and a processor, embodying instructions stored in the memory and executable by the processor, the instructions comprising functionality to:
o Intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
o Detecting the attempt of the process to access the input multimedia resource;
o Verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
o In case of a positive result, allowing the process to access the input multimedia resource;
o In case of negative result, blocking the attempt of the process to access the input multimedia resource.
12. A system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system, the system comprising: Computer means for intercepting at least one communication channel of the operating system through which any process attempts to access the input multimedia resource;
Computer means for detecting the attempt of the process to access the input multimedia resource;
Computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource;
Computer means for allowing the process to access the input multimedia resource;
Computer means for blocking the attempt of the process to access the input multimedia resource.
13. The system according to claim 12, wherein the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Computer means for transmitting a request about if the process is authorized to access the input multimedia resource to a second computer system established by the authorized user;
· Computer means for receiving the response of the authorized user, from the second computer system, about if the process is authorized to access the input multimedia resource.
14. The system according to claim 13, wherein the computer means for verifying if the process is authorized by an authorized user of the computer system to access the input multimedia resource comprises:
• Computer means for requesting an identification parameter of the authorized user;
• Computer means for receiving, from the second computer system, the identification parameter from the authorized user;
• Computer means for validating the requested identification parameter.
15. The system according to any of claims 12 to 14, wherein the second computer system is the computer system.
16. The system according to any of claims 12 to 14, wherein the second computer system is a remote computer system.
17. The system according to any of claims 1 1 to 16, wherein the input multimedia resource is selected from at least one of the following resources:
- a video capturing device;
- an audio capturing device.
PCT/EP2012/051861 2012-02-03 2012-02-03 A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system WO2013113399A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2012/051861 WO2013113399A1 (en) 2012-02-03 2012-02-03 A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2012/051861 WO2013113399A1 (en) 2012-02-03 2012-02-03 A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system

Publications (1)

Publication Number Publication Date
WO2013113399A1 true WO2013113399A1 (en) 2013-08-08

Family

ID=45563038

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/051861 WO2013113399A1 (en) 2012-02-03 2012-02-03 A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system

Country Status (1)

Country Link
WO (1) WO2013113399A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495716A (en) * 2018-11-27 2019-03-19 平安科技(深圳)有限公司 Video conference booking method, system and server, computer readable storage medium

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070878A1 (en) * 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070878A1 (en) * 2007-09-10 2009-03-12 Hao Wang Malware prevention system monitoring kernel events

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109495716A (en) * 2018-11-27 2019-03-19 平安科技(深圳)有限公司 Video conference booking method, system and server, computer readable storage medium

Similar Documents

Publication Publication Date Title
US9438635B2 (en) Controlling physical access to secure areas via client devices in a network environment
US20210289002A1 (en) Adaptive offline policy enforcement based on context
US20130333039A1 (en) Evaluating Whether to Block or Allow Installation of a Software Application
US20140282992A1 (en) Systems and methods for securing the boot process of a device using credentials stored on an authentication token
US10713354B2 (en) Methods and apparatus to monitor permission-controlled hidden sensitive application behavior at run-time
CN110598395A (en) Method and apparatus for providing a secure virtual environment on a mobile device
US11475123B2 (en) Temporary removal of software programs to secure mobile device
JP6038924B2 (en) Networking function per process
US11190356B2 (en) Secure policy ingestion into trusted execution environments
US20070294530A1 (en) Verification System and Method for Accessing Resources in a Computing Environment
CN112464213B (en) Operating system access control method, device, equipment and storage medium
US20180121670A1 (en) Encryption management for storage devices
WO2020185417A1 (en) Secure policy ingestion into trusted execution environments
WO2013113399A1 (en) A method and a system for controlling at least one process running on an operating system running on a computer system to access at least one input multimedia resource associated with the computer system
CN111291366B (en) Secure middleware system
CN104361269A (en) Access control method and device of access target in terminal
CN113507445B (en) Method and device for detecting rule security of third party of Internet of things
US20220188406A1 (en) Methods and systems for managing access of an application
Doo et al. Trusted Authentication Between User and Machine.

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12702529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 04/11/2014)

122 Ep: pct application non-entry in european phase

Ref document number: 12702529

Country of ref document: EP

Kind code of ref document: A1