The present invention claims the benefit of U.S. provisional Application No. 60/089,704, filed Jun. 18, 1998.
The present invention provides a system for controlling access to receiver functionality and data from downloaded applications in a digital television receiver.
The present invention addresses the issue of security and security policies in the digital television (DTV) application environment. In particular, the invention extends the Java(™) Security Architecture, a product of Sun Microsystems. However, the invention is not limited to a Java programming language implementation.
Java allows programmers to create interactive, multimedia applications for the World Wide Web. For example, Java applications, known as “applets”, may comprise an animation, a video clip, an interactive game or other entertaining or educational tool.
The applets are downloaded and run using a browser on a user's computer. The computer may be associated with a digital television receiver that receives the applets, e.g., from a cable or satellite television network, or from a separate telephone link.
An applet is written in Java, then compiled to a bytecode format. An HTML tag “<APPLET>” may be then used to fetch the compiled applet from a current web page. Or, the applet may be fetched from a specified URL using the HTML term “CODEBASE”.
Security is an important issue when applets are downloaded and executed on a user's computer. For example, it is desirable to prevent an applet from accessing specific resources of the computer. An applet produced by an attacker could retrieve information already stored on the computer and send it back over a network to the attacker, destroy files already stored on the computer, or consume resources, such as filling up the computer's disk.
It would be desirable to provide a mechanism for allowing only specific users to access receiver functionality and/or the applets, e.g., in a subscriber television network. For example, the applets may be used to provide enhanced features such as on-screen channel guides, stock ticker information, weather information, parental lockout capability, and program rating control enforcement. Access should be granted only to specific users, e.g., upon payment of additional fees.
However, the existing security mechanisms have not be sufficiently flexible to meet these challenges.
Prior art security schemes analyze the source of an application (Uniform Resource Locator or URL of where it came from) and/or a set of signatures (keys) which authenticate the application, and assign it to a security domain based on the local policy settings, again defined by application source, signer and a set of permissions. Once the security domain is resolved, it does not change.
The current Java Security Architecture is centered around security domains based on the application source, its signer(s) and a set of permissions granted to applications. Once the permissions are resolved, the permissions granted to an application are static and do not change over the lifetime of the application (unless the policy configuration changes).
Accordingly, it would be desirable to provide a security policy that grants dynamic permissions, e.g., based on a determination as to whether the current environment satisfies the permission's conditions related to the current state of the receiver (i.e., at the time the permission is checked, not at the time the permission is granted).
The following terminology will be used:                Application Source—location of where the application was downloaded from, mostly in a URL format. For broadcast environments, the Internet-based URL format is extended to cover an MPEG-2 network, transport stream and service, event identification and carousel data filename. The application source is also referred to in the Java language as “CodeSource”;        Digital Television (DTV) Receiver—a device capable of receiving digital television signals including video, audio and data components;        Permission—enables access to system resources, receiver functions, user private data, and other sensitive resources which may deserve protection;        Policy—provides an association between Permissions, Application Sources and Signers; and        Signer—provides identification of an entity which digitally signed the Application Source.        
For further terminology, refer to ATSC Program and System Information Protocol for Terrestrial Broadcast and Cable, (PSIP), A65, December 1997, and Java Security Architecture, Li Gong, Oct. 2, 1998, DRAFT DOCUMENT (Revision 1.0).
In a digital TV broadcast environment, the situation is more complex than what the current Java security architecture addresses. Applications are often associated with virtual video channels that a user is watching. An application associated with that channel or a set of related channels (PSIP major channel number may be the grouping function) should get more access control permissions than an application associated with a channel from another group that is not being watched at the moment. This means that if an application still runs after the user tunes to another channel, e.g., possibly outside the major virtual channel number or a Digital Video Broadcast (DVB) Bouquet, it should lose some or all of its permissions.
A DVB Bouquet is a concept of grouping services (channels) that are broadcast on different transport streams and/or networks together based on a provider or content type or the like. It is represented by a Bouquet Association Table (BAT) in the DVB Service Information (SI) protocol.
Also, it would be desirable for the permissions of an application to be limited by the privileges of the current user, the state of the receiver and/or current time. This requires the security policy to be dynamic.
Note that some applications are automatically terminated after a channel change, but the applications that are not directly associated with the video being viewed may persist across channel changes.
Accordingly, it would be desirable to provide a security policy that addresses the above concerns. Such a security policy should allow an application associated with a group of channels (e.g., the ABC major channel number 10) to persist across channel changes within this group using a set of permissions. As soon as the user tunes away from the ABC domain, the application should be denied some or all of its permissions, or terminated completely.
Moreover, it would be desirable to provide a flexible security policy that allow applications such as a navigation/channel guide within a broadcast network (such as ABC), but prevents such applications from steering users from another network (such as NBC), preventing access to other networks, or other types of attacks. The security policy should solve the conflicting requirements which, on one hand, force an application to be terminated with a channel change to prevent ABC's logo or other messages showing up on NBC's channel, and, on the other hand, allow applications such as stock tickers or navigation/channel guides to live beyond channel changes.
Furthermore, it would be desirable to provide a system that allows service providers, consumer electronic (CE) manufacturers, end users or standards bodies (such as the Advanced Television System Committee—ATSC) to define flexible security policies for the execution of downloaded applications on DTV receivers.
It would be desirable for the security policy to be suitable for use with parental lockout functions, rating controls, and circular blackout.
It would be desirable for the security policy to be independent of user interaction if desired. The security policy should support multiple concurrent applications and use the current state of a set-top box, which can change at any time (e.g. the current channel number, the current authorization state, the current user, etc.), to determine the result of a security policy permission check.
It would also be desirable to provide the capability for the security policy to accept a user input.
The present invention provides a system having the above and other advantages.