1. Field of the Invention
The invention relates to interactive television systems and more particularly to means for enforcing security in regard to interactive television applications which may access other modules or take some action which is restricted.
2. Description of the Related Art
Interactive television systems enable television sets to be used to provide various new means for providing services to viewers. Interactive television systems are capable of displaying text and graphic images in addition to typical video program streams. Interactive television systems are also capable of registering viewer actions or responses. Proposed features of interactive television include a variety of marketing, entertainment and educational capabilities such as allowing a user to interact with televised programs by ordering advertised products or services, competing against contestants in a game show, or requesting specialized information regarding particular programs.
Typically, a broadcast service provider generates an interactive television signal for transmission to a viewer's television. The interactive television signal includes an interactive portion consisting of application code or control information, as well as an audio-video portion consisting of a television program. The broadcast service provider combines the audio-video and interactive portions into a single signal for transmission to a receiver connected to the user's television. The signal is generally compressed prior to transmission and transmitted through typical broadcast channels, such as cable television (CATV) lines or direct satellite transmission systems.
The interactive functionality of the television is controlled by a set-top box connected to the television. The set-top box receives the signal transmitted by the broadcast service provider, separates the interactive portion from the audio-video portion and decompresses the respective portions of the signal. The set-top box uses the interactive information, for example, to execute an application while the audio-video information is transmitted to the television. The set-top box may combine the audio-video information with interactive graphics or audio generated by the interactive application prior to transmitting the information to the television. The interactive graphics and audio may present additional information to the viewer or may prompt the viewer for input. The set-top box may provide viewer input or other information to the broadcast service provider via a modem connection.
Interactive television applications consist of one or more program modules. If the application has more than one module, the set of modules forming the application is typically self-contained. That is, all of the code needed by the application is in that set of modules. The first module is a directory module which identifies all of the modules which are part of the application. The entire set of modules, which is listed in the directory module, is transmitted via the broadcast channel to the set-top box and the application is executed. (The set of modules may be referred to as a carousel, as explained below.) If a first interactive television application has completed execution and a second is to be executed, the directory and other modules of the second application are transmitted to the set-top box and the second application is executed. The entire set of modules used by the second application are transmitted even though some of the modules might be identical to modules used by the first application.
It may be advantageous to design software applications in a modular fashion so that modules may be shared between applications. The advantages of modularity may include conserving the limited amount of memory in a set-top box which can be used for interactive applications, reducing the time required to download applications from a broadcast station to a set-top box or reducing the amount of application code which must be written by allowing modules to be shared. Because the components of an application may reside in different carousels, it would be desirable to ensure the security of the respective modules and accordingly restrict access to authorized modules.
It would also be advantageous to provide a mechanism for allowing applications to interact with each other in a controlled manner, even when they do not share modules. For example, if one application transfers control to another application and the second application stalls, the first application may need to terminate the second application in order to regain control. It would therefore be desirable to provide a system which can verify the first application's access rights and determine whether to allow the first application to take such an action. Further, it would be desirable to implement these features in a way that minimizes the overhead associated with the system.