Special PC mode entered upon detection of undesired state

Description

BACKGROUND

Operating systems are a key building block in the development of computing systems. Over the several decades since personal computing has become widespread operating systems have substantially increased in complexity. The development of a computer operating system that is backward-compatible to a substantial number of computer applications, but still is secure enough to achieve a high level of assurance of tamper resistance is extremely challenging. However, new business models for pay-per-use or pay-as-you-go computing require a high level of assurance of tamper resistance.

SUMMARY

A computer adapted for use in a pay-per-use business model may use a supervisor or isolated computing environment to monitor and measure performance of the computer, as well as compliance to a set of usage policies. The isolated computing environment may have a secure memory, a secure processing capability, and a cryptographic capability. The isolated computing environment may boot prior to other boot devices to establish a secure computing base before the introduction of non-secure computing capabilities to the computer, such as the operating system.

According to one aspect of the disclosure, the isolated computing environment may request data, receive data, or probe for information from the computer. The isolated computing environment may use the acquired data to develop a score for compliance with the policy established, for example, by a service provider. The score may increase as compliance with the policies is confirmed and the score may decrease as noncompliance is determined. Should the score reach or fall below a threshold level, a sanctioned mode may be invoked. The sanctioned mode, or alternate operating mode, may involve a simple warning to a user, may limit a function of the computer so the computer is less useful, or may stop the operating system or some other key component completely, thereby disabling the computer. When disabled, the computer may require service by a service provider or other authorized party for determination and correction of noncompliant conditions, and may include the user paying back service fees or penalties. The isolated computing environment may send notification data to a user or service technician to assist in determining the current state of the computer and corrective actions to take to restore the computer. Similarly, even in a non-sanctioned mode, the isolated computing environment may export data for monitoring or diagnostics.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified and representative block diagram of a computer;

FIG. 2 is a block diagram of a simplified isolated computing environment;

FIG. 3 is a simplified and exemplary block diagram illustrating an embodiment of a supervisor;

FIG. 4 is a simplified and exemplary block diagram illustrating another embodiment of a supervisor;

FIG. 5 is a flow chart depicting a method of establishing and measuring compliance to a policy on a computer.

DETAILED DESCRIPTION OF VARIOUS EMBODIMENTS

Although the following text sets forth a detailed description of numerous different embodiments, it should be understood that the legal scope of the description is defined by the words of the claims set forth at the end of this disclosure. The detailed description is to be construed as exemplary only and does not describe every possible embodiment since describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims.

It should also be understood that, unless a term is expressly defined in this patent using the sentence “As used herein, the term ‘_{——————}’ is hereby defined to mean . . . ” or a similar sentence, there is no intent to limit the meaning of that term, either expressly or by implication, beyond its plain or ordinary meaning, and such term should not be interpreted to be limited in scope based on any statement made in any section of this patent (other than the language of the claims). To the extent that any term recited in the claims at the end of this patent is referred to in this patent in a manner consistent with a single meaning, that is done for sake of clarity only so as to not confuse the reader, and it is not intended that such claim term by limited, by implication or otherwise, to that single meaning. Finally, unless a claim element is defined by reciting the word “means” and a function without the recital of any structure, it is not intended that the scope of any claim element be interpreted based on the application of 35 U.S.C. §112, sixth paragraph.

Much of the inventive functionality and many of the inventive principles are best implemented with or in software programs or instructions and integrated circuits (ICs) such as application specific ICs. It is expected that one of ordinary skill, notwithstanding possibly significant effort and many design choices motivated by, for example, available time, current technology, and economic considerations, when guided by the concepts and principles disclosed herein will be readily capable of generating such software instructions and programs and ICs with minimal experimentation. Therefore, in the interest of brevity and minimization of any risk of obscuring the principles and concepts in accordance to the present invention, further discussion of such software and ICs, if any, will be limited to the essentials with respect to the principles and concepts of the preferred embodiments.

FIG. 1 illustrates a computing device in the form of a computer 110. Components of the computer 110 may include, but are not limited to a processing unit 120, a system memory 130, and a system bus 121 that couples various system components including the system memory to the processing unit 120. The system bus 121 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. By way of example, and not limitation, such architectures include Industry Standard Architecture (ISA) bus, Micro Channel Architecture (MCA) bus, Enhanced ISA (EISA) bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus also known as Mezzanine bus.

Computer 110 typically includes a variety of computer readable media. Computer readable media can be any available media that can be accessed by computer 110 and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer readable media may comprise computer storage media and communication media. Computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, FLASH memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by computer 110. Communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, radio frequency, infrared and other wireless media. Combinations of any of the above should also be included within the scope of computer readable media.

The system memory 130 includes computer storage media in the form of volatile and/or nonvolatile memory such as read only memory (ROM) 131 and random access memory (RAM) 132. A basic input/output system 133 (BIOS), containing the basic routines that help to transfer information between elements within computer 110, such as during start-up, is typically stored in ROM 131. RAM 132 typically contains data and/or program modules that are immediately accessible to and/or presently being operated on by processing unit 120. By way of example, and not limitation, FIG. 1 illustrates operating system 134, application programs 135, other program modules 136, and program data 137.

The computer 110 may also include other removable/non-removable, volatile/nonvolatile computer storage media. By way of example only, FIG. 1 illustrates a hard disk drive 141 that reads from or writes to non-removable, nonvolatile magnetic media, a magnetic disk drive 151 that reads from or writes to a removable, nonvolatile magnetic disk 152, and an optical disk drive 155 that reads from or writes to a removable, nonvolatile optical disk 156 such as a CD ROM or other optical media. Other removable/non-removable, volatile/nonvolatile computer storage media that can be used in the exemplary operating environment include, but are not limited to, magnetic tape cassettes, flash memory cards, digital versatile disks, digital video tape, solid state RAM, solid state ROM, and the like. The hard disk drive 141 is typically connected to the system bus 121 through a non-removable memory interface such as interface 140, and magnetic disk drive 151 and optical disk drive 155 are typically connected to the system bus 121 by a removable memory interface, such as interface 150.

The drives and their associated computer storage media discussed above and illustrated in FIG. 1, provide storage of computer readable instructions, data structures, program modules and other data for the computer 110. In FIG. 1, for example, hard disk drive 141 is illustrated as storing operating system 144, application programs 145, other program modules 146, and program data 147. Note that these components can either be the same as or different from operating system 134, application programs 135, other program modules 136, and program data 137. Operating system 144, application programs 145, other program modules 146, and program data 147 are given different numbers here to illustrate that, at a minimum, they are different copies. A user may enter commands and information into the computer 20 through input devices such as a keyboard 162 and pointing device 161, commonly referred to as a mouse, trackball or touch pad. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner, or the like. These and other input devices are often connected to the processing unit 120 through a user input interface 160 that is coupled to the system bus, but may be connected by other interface and bus structures, such as a parallel port, game port or a universal serial bus (USB). A monitor 191 or other type of display device is also connected to the system bus 121 via an interface, such as a video interface 190. In addition to the monitor, computers may also include other peripheral output devices such as speakers 197 and printer 196, which may be connected through an output peripheral interface 195.

The computer 110 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 180. The remote computer 180 may be a personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computer 110, although only a memory storage device 181 has been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN) 171 and a wide area network (WAN) 173, but may also include other networks. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet.

When used in a LAN networking environment, the computer 110 is connected to the LAN 171 through a network interface or adapter 170. When used in a WAN networking environment, the computer 110 typically includes a modem 172 or other means for establishing communications over the WAN 173, such as the Internet. The modem 172, which may be internal or external, may be connected to the system bus 121 via the user input interface 160, or other appropriate mechanism. In a networked environment, program modules depicted relative to the computer 110, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation, FIG. 1 illustrates remote application programs 185 as residing on memory device 181.

The communications connections 170172 allow the device to communicate with other devices. The communications connections 170172 are an example of communication media. The communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media. A “modulated data signal” may be a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Computer readable media may include both storage media and communication media.

An isolated computing environment 125 may be used to implement a supervisor, a trusted computing base, or other secure environment. and may be used to monitor, measure, and/or sanction the computer 110 when policies established for use are not followed. The policies may reflect the terms of an agreement between a user of the computer 110 and a service provider with an interest in the computer 110. The isolated computing environment 125 is discussed in more detail with respect to FIG. 2, below.

The isolated computing environment 125 may be instantiated in more than one manner. When implemented by one or more discrete components, the isolated computing environment 125 may be disposed on the motherboard (not depicted) of the computer. Ideally, the removal or de-lidding of the isolated computing environment 125 causes permanent damage to the motherboard and/or surrounding components and renders the computer 110 inoperable.

Another instantiation of the isolated computing environment 125 may be as depicted in FIG. 1, where the isolated computing environment 125 is incorporated in the processing unit 120. Being so disposed in the processing unit may offer advantages of better access to processing unit registers and monitoring of data sequences as well as improved resistance to physical attacks.

When an attested boot process exists, the isolated computing environment 125 may be implemented in software because the boot process can guarantee execution cycles and a certified operating environment. In such a case, the isolated computing environment 125 may not require a separate processor but may be run from the main processing unit 120. When an attested boot is not available, a hardware implementation of the isolated computing environment 125 may be recommended.

A license provisioning module, or LPM (see FIGS. 3 & 4), may be incorporated to measure and authorize use of the computer in a pay-per-use or pay-as-you-go configuration. The LPM, when implemented in software, may be stored in nonvolatile memory 146 and executed from memory 136. When the LPM is implemented in software, it may be vulnerable to attack. One purpose of the supervisor (see FIGS. 3 & 4) and/or isolated computing environment 125 may be to act as a watchdog over the LPM to help ensure its integrity and correct function.

In an alternate embodiment; the isolated computing environment 125 may assume the role of the LPM with respect to valid hardware configuration of the computer. That is, the separately-booted isolated computing environment 125 may have configuration data that allows operation of the computer according to its licensed capability, the licensed capability being less than that potentially available. For example, the computer may be capable of running with 512 megabytes (MB) of random access memory (RAM), but the valid configuration specifies 256 megabytes of RAM. The isolated computing environment 125 may limit the function of the computer to the 256 MB of system memory. Similar restrictions may be enforceable with respect to processor clock rate, available cache memory, number of cores of the processor 120 available, graphics card functions, hard drive capacity, networking options, or internal bus drivers. From an implementation perspective, there is little or no difference between imposing a limitation based on a monitored activity or enforcing a limitation based on a pre-determined setting or license.

Referring to FIG. 2, a simplified and representative isolated computing environment is discussed and described. The isolated computing environment may be or may be similar to the isolated computing environment 125 introduced above. The isolated computing environment 125 may include a memory 202, both volatile and non-volatile, a data input/output circuit 204 and a timer or clock 206. For example, a timer 206 may be used to implement the clock function by counting intervals of real time.

The isolated computing environment 125 may further include a digital signature verification circuit 208. When one-way verification of an external entity is required, for example, verification of a server (not depicted), a random number generator 210 may be a part of the digital signature verification circuit 208. Digital signature technology is well known and hashing, signature verification, symmetric and asymmetric algorithms and their respective keys are not discussed here in detail.

The blocks of the isolated computing environment 125 may be coupled by a bus 210. The bus 210 may be separate from a system or processing unit bus 214 used for external access. Separate busses may improve security by limiting access to data passed by bus 210. The bus 210 may incorporate security precautions such as balanced data lines to make power attacks on cryptographic keys 216 stored in the memory 202 more difficult.

A processor 216 may be available for execution of programs. As discussed above, when an attested boot is not available, the processor 216 may be included to provide the isolated computing environment 125 with guaranteed computing capability and separation from the operating system 134.

The memory 202, may, in addition to storing cryptographic keys 216, store data 220 that may include operational information, such as, a current score associated with compliance, or system information, such as, specific contractual information. Measurement data 222 may be associated with a monitor program 224. The monitor program 224 is discussed in more detail below, but briefly, is used to take measurements, receive information about the current operation of the computer 110, and determine a compliance score. The sanction program 226 may be invoked when the compliance score is below a predetermined threshold. The sanction program 226 may be capable of triggering both software and hardware mechanisms for impairing or disabling the computer 110.

FIG. 3 illustrates an exemplary embodiment of a computer 110, showing the relationship hardware and software components associated with pay-per-use or pay-as-you-go computing. The operating system 134 of FIG. 1 may support the LPM 302 and operating system services 304 associated with the pay-as-you-go operation. The operating system services 304 may include secure time, secure store, and encrypt/decrypt. In this embodiment, elements of the isolated computing environment 125 are configured as a supervisor 306. The supervisor 306 may include a secure memory 308, a secure clock 310, and a cryptographic key store 312. A unique hardware identifier 314 may be available to the supervisor 306 for use in processing provisioning packets and in identifying the computer 110 to an outside entity.

The secure memory 308 may be a separate memory area accessible only by the isolated computing environment 125, and/or only after cryptographic authentication. The secure clock 310 may provide a tamper-resistant time base providing monotonically increasing time for the life of the computer. The secure clock 310 may be used for interval timing or as a calendar base. The cryptographic key store 312 may provide storage for cryptographic keys. The key store 312 may be essentially a write-only memory and include cryptographic algorithms such that calculations are performed within the key store and only results are provided. Keys may not be read from the key store 312 once written and verified.

The supervisor 306, and its underlying isolated computing environment 125, may operate independently of the operating system 134. For security reasons, the supervisor 306 may boot prior to any other boot device when the computer 110 is powered on or reset. Booting independently from the operating system helps ensure that the supervisor 306 and the isolated computing environment 125 are not spoofed or starved for CPU time by another boot device.

Communication between the supervisor 306 and the operating system services 304 for may be accomplished over logical communication link 316, and may be supported over physical communication bus 214. The LPM 302 may be in communication with the supervisor 306 as shown by logical link 318. The link 318 supports requests from the supervisor 306 to the LPM 302 for audit data. Additionally, the LPM 302 may send a periodic heartbeat to the supervisor 306 as an ongoing audit of system compliance. Because the supervisor 306 may completely disable the operating system 134 when a noncompliant situation is discovered, the supervisor 306 may have sufficient power and hardware access to present a sanctioned mode user interface 320 for use while the computer 110 is in the sanctioned mode.

The audit/heartbeat data may be sent over logical link 318 and may include data required to validate a software component, particularly the LPM 302. The supervisor 316 may be programmed to expect heartbeat data at a regular interval. The heartbeat data may include validation information such as a digital signature of its binary executable code, including a sequence number or other method for preventing a replay attack. The regular heartbeat, for example, from the LPM 302 may serve as evidence that the LPM is still running and when its signature is verified, that it is a correct version of the unmodified code. Should the supervisor fail to validate the authenticity of the heartbeat, or if the heartbeat does not arrive within a prescribed period, the heartbeat may fail and the compliance score may be reduced. Heartbeat messages that arrive more often than required may not be penalized, while a single failed heartbeat may not be sufficient to invoke a sanction, depending on the policy rules.

The supervisor 306 is different from a known hypervisor or monitor. A monitor may sit between the operating system and related hardware to negotiate resource sharing or CPU time slicing. Because a monitor is closely tied to the operating system, it is difficult to abstract a monitor to a variety of operating systems, or even operating system versions. In contrast, the supervisor 306, in one embodiment, does not attempt to manage or negotiate system resource usage during normal operation. In its simplest form, the supervisor 306 receives a policy, authenticates the policy, monitors for compliance, and sanctions noncompliance to the policy. The policy may be a data structure that is passed from the operating system corresponding to predetermined limits, for example, usage hours or calendar months of usage.

Because the supervisor 306 is independent of the operating system, or an other boot device, the supervisor 306 may be used to enforce policies for virtually any operating system or operating environment. This independence from the underlying platform is, in one embodiment, is facilitated by the supervisor's guaranteed access to computing cycles, secure memory, and time base.

FIG. 4 depicts an alternate embodiment of the operating system and hardware components associated with a pay-per-use computer, such as computer 110. As in FIG. 3, the operating system 134 includes the LPM 302 and the underlying operating system services 304. A smaller supervisor 309, that also may also be based on a hardware isolated computing environment 125, may only monitor system secure resources 307 via bus 330, rather than offer and maintain them as in the embodiment of FIG. 3. The secure resources 307 may have secure memory 308, the secure clock 310, the cryptographic key store 312, and the hardware identifier 314. Individual service requests to the various operating system calling entities may be made via logical connections illustrated by data paths 322, 324, 326. The audit/heartbeat logical connection 318 may be maintained between the supervisor 309 and the LPM 302. In this configuration, the hardware identifier 314 may be made available to the LPM 302 via logical connection 328, among other things, for verifying provisioning packets and for use in generating the heartbeat signal.

In operation, both configurations as depicted in FIG. 3 and FIG. 4 may operate in a similar fashion with respect to developing a compliance score. The compliance score may be an accumulation of weighted values determined by measurement and observation. The measurements 222 performed by the monitoring process 224 (FIG. 2) may be used to evaluate different events and classify them, in the most simplistic form, as either good or bad. Each good event results in an improved compliance score, whereas each bad event decreases the compliance score. Criteria may be established such that no single event may be sufficient for the compliance score to reach a minimum threshold, causing sanctions to be imposed.

The supervisors 306309 of the embodiments of FIG. 3 and FIG. 4 may both measure the frequency and quality of heartbeat signals. The compliance score may be increased when good heartbeats are received on time. The supervisor 306 of FIG. 3 may have full access to key data used in metering and measurement. For example, the compliance score may also increase when the monitor 224 determines: that the operating system is metering usage. The monitor 224 may also determined a tally of time used versus purchases of additional time. When the estimated purchases match the estimated usage, the compliance score may also be increased. Other measurements may be taken, such as verification of designated files, for example the LPM 302 or boot files (not depicted), or verification of the system clock.

However, when the heartbeat fails or does not arrive on time, the compliance score may be reduced. If the operating system persists in a non-metered state for a predetermined amount of time, the compliance score may be reduced. If the operating system enters and exits the metering state at too high a rate, indicating perhaps tampering with the metering circuits, the compliance score may also be reduced.

The supervisor 309 of the embodiment of FIG. 4 may have less access to direct metering data or the operating system state. Such a configuration may be more reliant on heartbeat monitoring or other factors such as the rate of change of secured storage as an indication that metering data is being updated.

The compliance score in any embodiment may start at initial value and increase or decrease as various ‘good’ and ‘bad’ measurements are determined. When the compliance score is decreased sufficiently a first threshold may be reached, triggering an action. In one embodiment, the first threshold may be the only threshold and an immediate sanction may be imposed. In another embodiment, the first threshold may trigger a warning advising the user that tampering concerns have been raised and appropriate action may need to be taken. In yet another embodiment, the first threshold may trigger a limited sanction, such as, limiting display resolution or reducing processor speed. Should the compliance score continue to decrease a threshold may be reached where a dramatic sanction such as disabling the operating system may be invoked. At that point, the computer 110 may need to be taken to a service center for restoration. The sanctioned mode user interface 320 may be activated for restoration services when the operating system is disabled.

To illustrate using an exemplary embodiment, a computer 110 may be given a starting compliance score of 80. After a series of successful heartbeats, a purchase of usage time, and routine metering, the compliance score may be increased to a maximum of 100 (other embodiments may not use a maximum compliance score limit). At that point however, the user attempts to defeat the metering mechanism by overwriting the LPM 302. A measurement of the LPM 302 fails because a hash of the destination memory range does not match an expected hash. The heartbeat signals stop and routine metering stops because the replacement LPM is not programmed to support those functions. With each successive measurement failure the compliance score may decrease, for example, to 70. When the compliance score reaches 70, a warning message is displayed to the user indicating that the system appears to have been tampered and will be shut down without corrective measures. The user ignores the warning and the compliance score decreases to 55. The supervisor 306 may then activate the sanction program 226 to take action to shut down the computer 110, for example, by halting the processing unit 120. The sanctioned mode user interface 320 may then pop up a message informing the user that the computer has been disabled and must be taken to a service center for restoration.

At the service center a technician may use the sanctioned mode user interface 320 to determine that the replacement LPM was not compliant and restore a compliant LPM 302. The service technician may trigger the supervisor 306 to restart the monitor 224 program, if required, and may be able to manually reset the compliance score, if desired. In this example, as someone clearly tampered with the computer, a fine or service charge may be imposed on the user to discourage future attempts at tampering with the system.

FIG. 5, a method of determining non-compliance with a policy on a computer is discussed and described. A policy establishing rules of operation and usage criteria for a computer 110 may be established by a service provider or other party with a financial interest in the computer 110. After the policy has been established, measurable criteria for determining compliance or noncompliance with the policy may be developed 402. The criteria may include measurements such as hashing of known memory ranges and/or monitoring of conditions and activities on the computer 110, such as reprovisioning usage credits on the computer 110. The measurement and monitoring criteria may be programmed into a supervisor such as supervisor 306, which in turn may be built on an isolated computing environment 125.

The supervisor 306 may be activated 404 prior to activating, or booting, any other system element including an operating system 134. The reasons for first boot are discussed previously, but briefly, doing so helps to ensure a known, clean operating environment for the supervisor 306. When first activated, for example during manufacturing or at the time of installation, an initial compliance score may be established corresponding to operation in accordance with the established policy. In one embodiment, the supervisor 306 has a program execution environment autonomous from the operating system 134, to further isolate the supervisor 306 from attacks made on the operating system 134 and associated components.

After the supervisor 306 is booted, other boot devices may be started 406, such as the operating system 134 or any other early boot devices. When the computer 110 is operational, the supervisor 306 may begin monitoring and measuring 408 according to the critria developed at block 402. Each monitoring or measuring finding may be used to adjust the compliance score.

The criteria used at block 408 may include clock verification, the duration of a single computing session, the amount of time measured between provisioning packets were provided, or comparisons between the total time of operation of the computer in the total number of provisioning packets provided.

Metering and measurement data that may be used in evaluating the various criteria may be an operating system heartbeat, a verification of designated files, verification of a system clock, a current operating mode, a frequency of writes to the memory, or a time since last provisioning cycle. For example, clock verification may include a comparison of the secure clock time 310 to a soft clock under the control the operating system and may be followed by an analysis of the last time provisioning packets were provided.

As often as each measurement or monitoring result is determined, the compliance score may be compared 410 to a predetermined threshold. When the score is above the threshold, the no branch from block 410 may be taken back to block 408 where additional measurements may be taken. When the compliance score is below the threshold, the yes branch from block 410 may be taken and an additional test performed to determine 412 whether the score indicates a warning or a sanction is appropriate. When a warning is appropriate the branch labeled warning may be taken from block 412 and a warning displayed 416. Execution may then continue at block 408.

When it is determined at block 412 that a sanction is appropriate, the sanctioned branch from block 412 may be taken to block 414 where a sanction may be imposed. A range of sanctions may be available, including reducing display resolution, color depth, slowing the processor, and depending on the policy, the operating system may be deactivated or other major system or apparatus that substantially disables the computer 110.

Although the forgoing text sets forth a detailed description of numerous different embodiments of the invention, it should be understood that the scope of the invention is defined by the words of the claims set forth at the end of this patent. The detailed description is to be construed as exemplary only and does not describe every possibly embodiment of the invention because describing every possible embodiment would be impractical, if not impossible. Numerous alternative embodiments could be implemented, using either current technology or technology developed after the filing date of this patent, which would still fall within the scope of the claims defining the invention.

Thus, many modifications and variations may be made in the techniques and structures described and illustrated herein without departing from the spirit and scope of the present invention. Accordingly, it should be understood that the methods and apparatus described herein are illustrative only and are not limiting upon the scope of the invention.

Claims

1. A computing device, comprising: a first memory device storing an operating system of the computing device;a tamper resistant memory device that is separate from the first memory device, the tamper resistant memory device storing a supervisory program;a processor coupled to both the first memory device and the tamper resistant memory device;when a user turns on the computing device, the supervisory program being booted up and readied for operation prior to a time when the operating system of the computing device starts running, the supervisory program having precedence over and operating independently of at least one other boot device in the computing device;when the computing device is powered up and ready for use by the user on a pay per use or pay as you go basis, the supervisory program generating an initial compliance score that is representative of the computing device's compliance with a plurality of policies that indicate the operating system is metering usage of the computing device on the pay per use or the pay as you go basis;while the computing device is being used on the pay per use or the pay as you go basis, the supervisory program: receiving data that is representative of a then current operational state of the computing device,calculating an updated compliance score, andwhen the updated compliance score is less than a first threshold, invoking a first sanction mode that limits the ability of the computing device to be used on the pay per use or the pay as you go basis until the user takes corrective action that raises the value of the updated compliance score above the first threshold; andthe supervisory program, during an interval of time for which the user has fully paid for use of the computing device, causing the computing device to enter a non-operational state when, during the interval of time, the supervisory program determines that the updated compliance score falls below a second threshold that is lower than the first threshold,wherein the operating system stored on the first memory device and the supervisory program stored on the tamper resistant memory device that is separate from the first memory device both execute on the processor concurrently, the supervisory program having guaranteed access to computing cycles on the processor while the processor is also executing the operating system that meters the usage of the computing device.
2. The computing device of claim 1, wherein the computing device comprises a personal computer.
3. The computing device of claim 1, the received data comprising an operating system heartbeat indicating that the operating system is metering the usage of the computing device.
4. The computing device of claim 1, wherein the received data indicates whether the computing device is operating in the first sanction mode.
5. The computing device of claim 1, wherein the received data comprises a time since a last provisioning cycle was executed.
6. A method implemented by a supervisory program on a computing device comprising a processor, the method comprising: booting the supervisory program on the computing device independently from an operating system that also boots on the computing device;generating an initial compliance score that is representative of compliance by the computing device with one or more policies that indicate the operating system is metering usage of the computing device;receiving data that indicates whether the operating system is metering the usage of the computing device;calculating an updated compliance score based on the received data;in an instance where the updated compliance score is outside of a first threshold but not a second threshold that is different than the first threshold, invoking a first sanction mode that limits the ability of the computing device to be used on a pay per use or pay as you go basis until a user takes corrective action that changes the value of the updated compliance score to be within the first threshold;in an instance where the compliance score is outside both the first threshold and the second threshold, causing the computing device to enter a non-operational state,wherein the operating system is stored in a first memory device and the supervisory program is stored in a tamper resistant memory device that is separate from the first memory device; andthe operating system and the supervisory program both execute concurrently on the processor of the computing device, the supervisory program having guaranteed access to computing cycles on the processor while the processor is also executing the operating system.
7. The method according to claim 6, the second threshold being lower than the first threshold.
8. The method according to claim 6, the received data comprising a heartbeat indicating that the operating system is metering the usage of the computing device.
9. The method according to claim 8, the heartbeat being received at a regular interval.
10. The method according to claim 8, the heartbeat being received from a provisioning module that is supported by the operating system.
11. The method according to claim 10, the heartbeat comprising a digital signature of binary executable code of the provisioning module.
12. The method according to claim 6, the first sanction mode reducing a processor speed of the processor of the computing device.
13. The method according to claim 6, the first sanction mode limiting a display resolution of the computing device.
14. The method according to claim 6, the supervisory program booting before the operating system.
15. The method of claim 6, wherein the updated compliance score is further based on a comparison of a soft clock under control of the operating system to a secure clock time from a tamper resistant time base.
16. One or more computer-readable storage devices comprising executable instructions that perform the method of claim 6.
17. A method comprising: generating an initial compliance score that is representative of compliance by a computing device with one or more policies that indicate an operating system of the computing device is metering usage of the computing device;receiving data that indicates whether the operating system is metering the usage of the computing device;calculating an updated compliance score based on the received data;in an instance where the updated compliance score reaches a first threshold but not a second threshold that is different than the first threshold, invoking a first sanction mode that limits the ability of the computing device to be used on a pay per use or pay as you go basis until a user takes corrective action that changes the value of the updated compliance score;in an instance where the compliance score reaches the second threshold, causing the computing device to enter a non-operational state,wherein the operating system is stored on a first memory device and the generating, the receiving, the calculating, the invoking, and the causing are performed by a program that is stored in a tamper resistant memory device that is separate from the first memory device, andthe operating system and the program both execute concurrently on a processor of the computing device, the program having guaranteed access to computing cycles on the processor while the processor is also executing the operating system.
18. The method according to claim 17, the non-operational state being entered by disabling the operating system.
19. The method according to claim 17, wherein the first sanction mode comprises slowing a clock speed of the processor.
20. One or more computer-readable storage devices comprising executable instructions that perform the method of claim 17.

Parent Case Info

This application is a continuation-in-part of U.S. patent application Ser. No. 11/022,493, filed Dec. 22, 2004 which is a continuation-in-part of U.S. patent application Ser. No. 11/006,837, filed Dec. 8, 2004, which is a continuation-in-part of U.S. patent application Ser. No. 10/989,122, filed Nov. 15, 2004.

US Referenced Citations (369)

Number	Name	Date	Kind
4558176	Arnold et al.	Dec 1985	A
4620150	Germer et al.	Oct 1986	A
4750034	Lem	Jun 1988	A
4817094	Lebizay et al.	Mar 1989	A
4855730	Venners et al.	Aug 1989	A
4855922	Huddleston et al.	Aug 1989	A
4857999	Welsh	Aug 1989	A
4910692	Outram	Mar 1990	A
4959774	Davis	Sep 1990	A
4967273	Greenberg	Oct 1990	A
5001752	Fischer	Mar 1991	A
5012514	Renton	Apr 1991	A
5249184	Woest et al.	Sep 1993	A
5269019	Peterson et al.	Dec 1993	A
5274368	Breeden et al.	Dec 1993	A
5301268	Takeda	Apr 1994	A
5355161	Bird et al.	Oct 1994	A
5369262	Dvorkis et al.	Nov 1994	A
5406630	Piosenka et al.	Apr 1995	A
5414861	Horning	May 1995	A
5437040	Campbell	Jul 1995	A
5442704	Holtey	Aug 1995	A
5448045	Clark	Sep 1995	A
5459867	Adams et al.	Oct 1995	A
5473692	Davis	Dec 1995	A
5490216	Richardson, III	Feb 1996	A
5500897	Hartman, Jr.	Mar 1996	A
5513319	Finch et al.	Apr 1996	A
5522040	Hofsass et al.	May 1996	A
5530846	Strong	Jun 1996	A
5552776	Wade et al.	Sep 1996	A
5563799	Brehmer et al.	Oct 1996	A
5568552	Davis	Oct 1996	A
5586291	Lasker et al.	Dec 1996	A
5671412	Christiano	Sep 1997	A
5710706	Markl et al.	Jan 1998	A
5715403	Stefik	Feb 1998	A
5724425	Chang et al.	Mar 1998	A
5745879	Wyman	Apr 1998	A
5763832	Anselm	Jun 1998	A
5768382	Schneier et al.	Jun 1998	A
5771354	Crawford	Jun 1998	A
5774870	Storey	Jun 1998	A
5793839	Farris et al.	Aug 1998	A
5802592	Chess	Sep 1998	A
5825883	Archibald et al.	Oct 1998	A
5841865	Sudia	Nov 1998	A
5844986	Davis	Dec 1998	A
5845065	Conte et al.	Dec 1998	A
5875236	Jankowitz et al.	Feb 1999	A
5883670	Sporer et al.	Mar 1999	A
5892906	Chou et al.	Apr 1999	A
5948061	Merriman	Sep 1999	A
5953502	Helbig et al.	Sep 1999	A
5956408	Arnold	Sep 1999	A
5994710	Knee et al.	Nov 1999	A
6026293	Osborn	Feb 2000	A
6049789	Frison et al.	Apr 2000	A
6061794	Angelo et al.	May 2000	A
6078909	Knutson	Jun 2000	A
6119229	Martinez et al.	Sep 2000	A
6148417	Da Silva	Nov 2000	A
6158657	Hall, III et al.	Dec 2000	A
6185678	Arbaugh et al.	Feb 2001	B1
6188995	Garst et al.	Feb 2001	B1
6192392	Ginter	Feb 2001	B1
6233685	Smith	May 2001	B1
6243439	Arai et al.	Jun 2001	B1
6253224	Brice, Jr. et al.	Jun 2001	B1
6263431	Lovelace et al.	Jul 2001	B1
6279111	Jensenworth et al.	Aug 2001	B1
6289319	Lockwood et al.	Sep 2001	B1
6295577	Anderson et al.	Sep 2001	B1
6303924	Adan et al.	Oct 2001	B1
6314409	Schneck et al.	Nov 2001	B2
6321335	Chu	Nov 2001	B1
6327652	England et al.	Dec 2001	B1
6330670	England et al.	Dec 2001	B1
6345294	O'Toole et al.	Feb 2002	B1
6363488	Ginter et al.	Mar 2002	B1
6367017	Gray	Apr 2002	B1
6373047	Adan et al.	Apr 2002	B1
6385727	Cassagnol et al.	May 2002	B1
6405923	Seysen	Jun 2002	B1
6408170	Schmidt et al.	Jun 2002	B1
6424714	Wasilewski et al.	Jul 2002	B1
6441813	Ishibashi	Aug 2002	B1
6442529	Krishan et al.	Aug 2002	B1
6442690	Howard, Jr. et al.	Aug 2002	B1
6460140	Schoch et al.	Oct 2002	B1
6463534	Geiger et al.	Oct 2002	B1
6496858	Frailong et al.	Dec 2002	B1
6567793	Hicks et al.	May 2003	B1
6571216	Garg et al.	May 2003	B1
6585158	Norskog	Jul 2003	B2
6587684	Hsu et al.	Jul 2003	B1
6609201	Folmsbee	Aug 2003	B1
6625729	Angelo	Sep 2003	B1
6631478	Wang et al.	Oct 2003	B1
6646244	Aas et al.	Nov 2003	B2
6664948	Crane et al.	Dec 2003	B2
6671803	Pasieka	Dec 2003	B1
6678828	Pham et al.	Jan 2004	B1
6690556	Smola et al.	Feb 2004	B2
6694000	Ung et al.	Feb 2004	B2
6704873	Underwood	Mar 2004	B1
6708176	Strunk et al.	Mar 2004	B2
6711263	Nordenstam et al.	Mar 2004	B1
6716652	Ortlieb	Apr 2004	B1
6738810	Kramer et al.	May 2004	B1
6763458	Watanabe	Jul 2004	B1
6765470	Shinzaki	Jul 2004	B2
6791157	Casto et al.	Sep 2004	B1
6816809	Circenis	Nov 2004	B2
6816900	Vogel et al.	Nov 2004	B1
6834352	Shin	Dec 2004	B2
6839841	Medvinsky et al.	Jan 2005	B1
6844871	Hinckley et al.	Jan 2005	B1
6847942	Land et al.	Jan 2005	B1
6851051	Bolle et al.	Feb 2005	B1
6868433	Philyaw	Mar 2005	B1
6871283	Zurko et al.	Mar 2005	B1
6920567	Doherty et al.	Jul 2005	B1
6934942	Chilimbi	Aug 2005	B1
6954728	Kusumoto et al.	Oct 2005	B1
6957186	Guheen et al.	Oct 2005	B1
6976162	Ellison et al.	Dec 2005	B1
6983050	Yacobi et al.	Jan 2006	B1
6986042	Griffin	Jan 2006	B2
6990174	Eskelinen	Jan 2006	B2
6993648	Goodman et al.	Jan 2006	B2
7000100	Lacombe et al.	Feb 2006	B2
7000829	Harris et al.	Feb 2006	B1
7013384	Challener et al.	Mar 2006	B2
7028149	Grawrock	Apr 2006	B2
7054468	Yang	May 2006	B2
7069442	Sutton, II	Jun 2006	B2
7069595	Cognigni et al.	Jun 2006	B2
7076652	Ginter et al.	Jul 2006	B2
7096469	Kubala et al.	Aug 2006	B1
7097357	Johnson et al.	Aug 2006	B2
7103574	Peinado et al.	Sep 2006	B1
7113912	Stefik	Sep 2006	B2
7117183	Blair et al.	Oct 2006	B2
7121460	Parsons et al.	Oct 2006	B1
7127579	Zimmer	Oct 2006	B2
7130951	Christie et al.	Oct 2006	B1
7143297	Buchheit et al.	Nov 2006	B2
7162645	Iguchi et al.	Jan 2007	B2
7171539	Mansell et al.	Jan 2007	B2
7174457	England et al.	Feb 2007	B1
7207039	Komarla et al.	Apr 2007	B2
7234144	Wilt et al.	Jun 2007	B2
7236455	Proudler et al.	Jun 2007	B1
7266569	Cutter et al.	Sep 2007	B2
7299358	Chateau et al.	Nov 2007	B2
7353402	Bourne et al.	Apr 2008	B2
7356709	Gunyakti et al.	Apr 2008	B2
7359807	Frank et al.	Apr 2008	B2
7360253	Frank et al.	Apr 2008	B2
7392429	Westerinen et al.	Jun 2008	B2
7395245	Okamoto et al.	Jul 2008	B2
7395452	Nicholson et al.	Jul 2008	B2
7406446	Frank et al.	Jul 2008	B2
7421413	Frank et al.	Sep 2008	B2
7441121	Cutter, Jr. et al.	Oct 2008	B2
7441246	Auerbach et al.	Oct 2008	B2
7461249	Pearson et al.	Dec 2008	B1
7464103	Siu	Dec 2008	B2
7490356	Lieblich et al.	Feb 2009	B2
7493487	Phillips et al.	Feb 2009	B2
7494277	Setala	Feb 2009	B2
7519816	Phillips et al.	Apr 2009	B2
7539863	Phillips	May 2009	B2
7540024	Phillips et al.	May 2009	B2
7549060	Bourne et al.	Jun 2009	B2
7562220	Frank et al.	Jul 2009	B2
7565325	Lenard	Jul 2009	B2
7568096	Evans	Jul 2009	B2
7596784	Abrams	Sep 2009	B2
7610631	Frank et al.	Oct 2009	B2
7644239	Westerinen et al.	Jan 2010	B2
7669056	Frank	Feb 2010	B2
7694153	Ahdout	Apr 2010	B2
7770205	Frank	Aug 2010	B2
7814532	Cromer et al.	Oct 2010	B2
7877607	Circenis	Jan 2011	B2
7891007	Waxman et al.	Feb 2011	B2
7958029	Bobich et al.	Jun 2011	B1
20010034711	Tashenberg	Oct 2001	A1
20010056413	Suzuki et al.	Dec 2001	A1
20010056539	Pavlin et al.	Dec 2001	A1
20020002597	Morrell, Jr.	Jan 2002	A1
20020007310	Long	Jan 2002	A1
20020023212	Proudler	Feb 2002	A1
20020046098	Maggio	Apr 2002	A1
20020055906	Katz et al.	May 2002	A1
20020091569	Kitaura et al.	Jul 2002	A1
20020107701	Batty et al.	Aug 2002	A1
20020111916	Coronna et al.	Aug 2002	A1
20020112171	Ginter et al.	Aug 2002	A1
20020123964	Kramer et al.	Sep 2002	A1
20020124212	Nitschke et al.	Sep 2002	A1
20020129359	Lichner	Sep 2002	A1
20020138549	Urien	Sep 2002	A1
20020141451	Gates et al.	Oct 2002	A1
20020144131	Spacey	Oct 2002	A1
20020147601	Fagan	Oct 2002	A1
20020147782	Dimitrova et al.	Oct 2002	A1
20020147912	Shmueli et al.	Oct 2002	A1
20020178071	Walker et al.	Nov 2002	A1
20020184482	Lacombe et al.	Dec 2002	A1
20020184508	Bialick et al.	Dec 2002	A1
20020193101	McAlinden	Dec 2002	A1
20020194132	Pearson et al.	Dec 2002	A1
20030005135	Inoue et al.	Jan 2003	A1
20030014323	Scheer	Jan 2003	A1
20030027549	Kiel et al.	Feb 2003	A1
20030028454	Ooho et al.	Feb 2003	A1
20030035409	Wang et al.	Feb 2003	A1
20030037246	Goodman et al.	Feb 2003	A1
20030040960	Eckmann	Feb 2003	A1
20030046026	Levy et al.	Mar 2003	A1
20030048473	Rosen	Mar 2003	A1
20030056107	Cammack et al.	Mar 2003	A1
20030084104	Salem et al.	May 2003	A1
20030084278	Cromer et al.	May 2003	A1
20030084285	Cromer et al.	May 2003	A1
20030084337	Simionescu et al.	May 2003	A1
20030084352	Schwartz et al.	May 2003	A1
20030088500	Shinohara et al.	May 2003	A1
20030093694	Medvinsky et al.	May 2003	A1
20030097596	Muratov et al.	May 2003	A1
20030110388	Pavlin et al.	Jun 2003	A1
20030115458	Song	Jun 2003	A1
20030126519	Odorcic	Jul 2003	A1
20030131252	Barton et al.	Jul 2003	A1
20030135380	Lehr et al.	Jul 2003	A1
20030149671	Yamamoto et al.	Aug 2003	A1
20030156572	Hui et al.	Aug 2003	A1
20030156719	Cronce	Aug 2003	A1
20030163383	Engelhart	Aug 2003	A1
20030163712	LaMothe et al.	Aug 2003	A1
20030172376	Coffin, III et al.	Sep 2003	A1
20030185395	Lee et al.	Oct 2003	A1
20030188165	Sutton et al.	Oct 2003	A1
20030196102	McCarroll	Oct 2003	A1
20030196106	Erfani et al.	Oct 2003	A1
20030208338	Challener et al.	Nov 2003	A1
20030208573	Harrison et al.	Nov 2003	A1
20030229702	Hensbergen et al.	Dec 2003	A1
20040001088	Stancil et al.	Jan 2004	A1
20040003190	Childs et al.	Jan 2004	A1
20040003288	Wiseman et al.	Jan 2004	A1
20040010440	Lenard et al.	Jan 2004	A1
20040019456	Circenis	Jan 2004	A1
20040023636	Gurel et al.	Feb 2004	A1
20040030912	Merkle, Jr. et al.	Feb 2004	A1
20040034816	Richard	Feb 2004	A1
20040039916	Aldis et al.	Feb 2004	A1
20040039924	Baldwin et al.	Feb 2004	A1
20040039960	Kassayan	Feb 2004	A1
20040044629	Rhodes et al.	Mar 2004	A1
20040054907	Chateau et al.	Mar 2004	A1
20040054908	Circenis et al.	Mar 2004	A1
20040054909	Serkowski et al.	Mar 2004	A1
20040064707	McCann et al.	Apr 2004	A1
20040067746	Johnson	Apr 2004	A1
20040073670	Chack et al.	Apr 2004	A1
20040088548	Smetters et al.	May 2004	A1
20040093371	Burrows et al.	May 2004	A1
20040093508	Foerstner et al.	May 2004	A1
20040107359	Kawano et al.	Jun 2004	A1
20040107368	Colvin	Jun 2004	A1
20040123127	Teicher et al.	Jun 2004	A1
20040125755	Roberts	Jul 2004	A1
20040128251	Adam et al.	Jul 2004	A1
20040133794	Kocher et al.	Jul 2004	A1
20040139027	Molaro	Jul 2004	A1
20040193919	Dabbish et al.	Sep 2004	A1
20040199769	Proudler	Oct 2004	A1
20040205357	Kuo et al.	Oct 2004	A1
20040220858	Maggio	Nov 2004	A1
20040225894	Colvin	Nov 2004	A1
20040255000	Simionescu et al.	Dec 2004	A1
20040268120	Mirtal et al.	Dec 2004	A1
20050015343	Nagai et al.	Jan 2005	A1
20050021944	Craft et al.	Jan 2005	A1
20050028000	Bulusu et al.	Feb 2005	A1
20050033747	Wittkotter	Feb 2005	A1
20050039013	Bajikar et al.	Feb 2005	A1
20050044197	Lai	Feb 2005	A1
20050050355	Graunke	Mar 2005	A1
20050060388	Tatsumi et al.	Mar 2005	A1
20050065880	Amato et al.	Mar 2005	A1
20050080701	Tunney et al.	Apr 2005	A1
20050091104	Abraham	Apr 2005	A1
20050097204	Horowitz et al.	May 2005	A1
20050102181	Scroggie et al.	May 2005	A1
20050108547	Sakai	May 2005	A1
20050108564	Freeman et al.	May 2005	A1
20050120251	Fukumori	Jun 2005	A1
20050125673	Cheng et al.	Jun 2005	A1
20050129296	Setala	Jun 2005	A1
20050132150	Jewell et al.	Jun 2005	A1
20050138370	Goud et al.	Jun 2005	A1
20050138389	Catherman et al.	Jun 2005	A1
20050138423	Ranganathan	Jun 2005	A1
20050141717	Cromer et al.	Jun 2005	A1
20050144099	Deb et al.	Jun 2005	A1
20050166051	Buer	Jul 2005	A1
20050182921	Duncan	Aug 2005	A1
20050182940	Sutton	Aug 2005	A1
20050188843	Edlund et al.	Sep 2005	A1
20050203801	Morgenstern et al.	Sep 2005	A1
20050213761	Walmsley et al.	Sep 2005	A1
20050216577	Durham et al.	Sep 2005	A1
20050221766	Brizek et al.	Oct 2005	A1
20050235141	Ibrahim et al.	Oct 2005	A1
20050240533	Cutter et al.	Oct 2005	A1
20050246521	Bade et al.	Nov 2005	A1
20050246525	Bade et al.	Nov 2005	A1
20050246552	Bade et al.	Nov 2005	A1
20050257073	Bade	Nov 2005	A1
20050275866	Corlett	Dec 2005	A1
20050278519	Luebke et al.	Dec 2005	A1
20050279827	Mascavage et al.	Dec 2005	A1
20050286476	Crosswy et al.	Dec 2005	A1
20050289177	Hohmann, II	Dec 2005	A1
20050289343	Tahan	Dec 2005	A1
20060010326	Bade et al.	Jan 2006	A1
20060015717	Liu et al.	Jan 2006	A1
20060015718	Liu et al.	Jan 2006	A1
20060015732	Liu	Jan 2006	A1
20060020784	Jonker et al.	Jan 2006	A1
20060026418	Bade	Feb 2006	A1
20060026419	Arndt et al.	Feb 2006	A1
20060026422	Bade et al.	Feb 2006	A1
20060055506	Nicolas	Mar 2006	A1
20060072748	Buer	Apr 2006	A1
20060072762	Buer	Apr 2006	A1
20060074600	Sastry et al.	Apr 2006	A1
20060075014	Tharappel et al.	Apr 2006	A1
20060075223	Bade et al.	Apr 2006	A1
20060085634	Jain et al.	Apr 2006	A1
20060085637	Pinkas	Apr 2006	A1
20060085844	Buer et al.	Apr 2006	A1
20060089917	Strom et al.	Apr 2006	A1
20060090084	Buer	Apr 2006	A1
20060100010	Gatto et al.	May 2006	A1
20060106845	Frank et al.	May 2006	A1
20060106920	Steeb et al.	May 2006	A1
20060107306	Thirumalai et al.	May 2006	A1
20060107328	Frank et al.	May 2006	A1
20060107335	Frank et al.	May 2006	A1
20060112267	Zimmer et al.	May 2006	A1
20060117177	Buer	Jun 2006	A1
20060129824	Hoff et al.	Jun 2006	A1
20060130130	Kablotsky	Jun 2006	A1
20060143431	Rothman et al.	Jun 2006	A1
20060165005	Frank et al.	Jul 2006	A1
20060168664	Frank et al.	Jul 2006	A1
20060206618	Zimmer et al.	Sep 2006	A1
20060213997	Frank et al.	Sep 2006	A1
20060282319	Maggio	Dec 2006	A1
20060282899	Raciborski	Dec 2006	A1
20070033102	Frank et al.	Feb 2007	A1
20070280422	Setala	Dec 2007	A1
20090070454	McKinnon, III et al.	Mar 2009	A1

Foreign Referenced Citations (69)

Number	Date	Country
1531673	Sep 2004	CN
0635790	Jan 1995	EP
0843449	May 1998	EP
1061465	Dec 2000	EP
1085396	Mar 2001	EP
1387237	Feb 2004	EP
1429224	Jun 2004	EP
1223722	Aug 2004	EP
1460514	Sep 2004	EP
1233337	Aug 2005	EP
2359969	Sep 2001	GB
2378780	Feb 2003	GB
H0535461	Feb 1993	JP
H0635718	Feb 1994	JP
H07036559	Feb 1995	JP
H07141153	Jun 1995	JP
H086729	Jan 1996	JP
2001526550	May 1997	JP
H09185504	Jul 1997	JP
H9251494	Sep 1997	JP
2000293369	Oct 2000	JP
2001051742	Feb 2001	JP
2003510684	Mar 2001	JP
2001101033	Apr 2001	JP
2003510713	Apr 2001	JP
2001184472	Jul 2001	JP
2001312325	Nov 2001	JP
2001331229	Nov 2001	JP
2001338233	Dec 2001	JP
2002108478	Apr 2002	JP
2002108870	Apr 2002	JP
2002374327	Dec 2002	JP
2003507785	Feb 2003	JP
2003140761	May 2003	JP
2003140762	May 2003	JP
2003157335	May 2003	JP
2003208314	Jul 2003	JP
2003248522	Sep 2003	JP
2003296487	Oct 2003	JP
2002182562	Jan 2004	JP
2004062561	Feb 2004	JP
2004118327	Apr 2004	JP
2004164491	Jun 2004	JP
2004-304755	Oct 2004	JP
2004295846	Oct 2004	JP
2007525774	Sep 2007	JP
H08-054952	Feb 2011	JP
20010000805	Jan 2001	KP
20020037453	May 2002	KP
20050008439	Jan 2005	KP
20050021782	Mar 2005	KP
WO-9721162	Jun 1997	WO
WO-9811478	Mar 1998	WO
WO-0054126	Sep 2000	WO
WO-0135293	May 2001	WO
WO-0145012	Jun 2001	WO
WO-0163512	Aug 2001	WO
WO-0177795	Oct 2001	WO
WO-0193461	Dec 2001	WO
WO-0208969	Jan 2002	WO
WO-02056155	Jul 2002	WO
WO-02103495	Dec 2002	WO
WO-03009115	Jan 2003	WO
WO-03030434	Apr 2003	WO
WO-03073688	Sep 2003	WO
WO-03107585	Dec 2003	WO
WO-03107588	Dec 2003	WO
WO-2004092886	Oct 2004	WO
WO-2007032974	Mar 2007	WO

Related Publications (1)

	Number	Date	Country
	20060107329 A1	May 2006	US

Continuation in Parts (3)

	Number	Date	Country
Parent	11022493	Dec 2004	US
Child	11152214		US
Parent	11006837	Dec 2004	US
Child	11022493		US
Parent	10989122	Nov 2004	US
Child	11006837		US

Special PC mode entered upon detection of undesired state

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

CPC

US Classifications

Field of Search

US

International Classifications

Term Extension