Isolating an application running inside a native container application

US 10,607,002 B2
Filed: 08/30/2016
Issued: 03/31/2020
Est. Priority Date: 08/30/2016
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising:

one or more processors; and

one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to limit access to native device capabilities, including instructions that are executable to configure the computer system to perform at least the following;

executing a container application installed at the computer system, the container application configured to execute one or more hosted script based applications and the container application configured to;

identify a hosted application to execute;

obtain information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to;

create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide the information identifying the limited set of capabilities to the hosting manager;

the container application preventing the hosted application from directly accessing any of the native device capabilities;

to provide access to the limited set of capabilities, for the limited set of capabilities, identify and provide plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and

execute the hosted application and enforce limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Limiting access to native device capabilities. A method includes, at a container application installed at the computing device, the container application configured to execute hosted script based applications, identifying a hosted application to execute. The method further includes, at the container application, obtaining information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to. The method further includes, at the container application, executing the hosted application and enforcing limits on the hosted application such that the hosted application is only able to access the native device capabilities identified in the limited set of capabilities.

23 Citations

View as Search Results

20 Claims

1. A computer system comprising:
- one or more processors; and
  
  one or more computer-readable media having stored thereon instructions that are executable by the one or more processors to configure the computer system to limit access to native device capabilities, including instructions that are executable to configure the computer system to perform at least the following;
  
  executing a container application installed at the computer system, the container application configured to execute one or more hosted script based applications and the container application configured to;
  
  identify a hosted application to execute;
  
  obtain information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to;
  
  create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide the information identifying the limited set of capabilities to the hosting manager;
  
  the container application preventing the hosted application from directly accessing any of the native device capabilities;
  
  to provide access to the limited set of capabilities, for the limited set of capabilities, identify and provide plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and
  
  execute the hosted application and enforce limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the hosted application includes functionality configured to use device capabilities for which device capabilities have not been granted to the hosted application and wherein the container application prevents the hosted application from accessing the device capabilities that have not been granted to the hosted application.
  - 3. The system of claim 1, wherein at least one of the capabilities in the set of capabilities comprises a capability for a limited portion of a file system such that the hosted application is limited to accessing only the limited portion of the file system without being able to access other portions of the file system.
  - 4. The system of claim 1, wherein at least one of the capabilities in the set of capabilities comprises a capability for accessing or controlling device hardware including at least one of a camera, a microphone, communication hardware, or location hardware.
  - 5. The system of claim 1, further comprising revoking access to one or more of the capabilities in the set of capabilities.
  - 6. The system of claim 5, wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to determine that an attempt to uninstall the hosted application has occurred, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that an attempt to uninstall the hosted application has occurred.
  - 7. The system of claim 5, wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to determine that the hosted application is associated with a virus infection, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that the hosted application is associated with a virus infection.
  - 8. The system of claim 5, wherein the one or more computer-readable media further have stored thereon instructions that are executable by the one or more processors to configure the computer system to determine that policy has been changed, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that policy has been changed.

9. At a computing device having native device capabilities, a computer implemented method of limiting access to native device capabilities, the method comprising:
- executing a container application installed at the computing device, the container application configured to execute one or more hosted script based applications and the container application configured to perform;
  
  identifying a hosted application to execute;
  
  obtaining information identifying a limited set of capabilities from among the native device capabilities indicating which of the native device capabilities the hosted application has been granted access to;
  
  creating a hosting manager, the hosting manager implemented completely within a native context of the device, and providing the information identifying the limited set of capabilities to the hosting manager;
  
  the container application preventing the hosted application from directly accessing any of the native device capabilities;
  
  to provide access to the limited set of capabilities, for the limited set of capabilities, identifying and providing plugins which provide access to the limited set of capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the native context associated with the container application and a hosted application context such that the hosted application can communicate with the limited set of capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and
  
  executing the hosted application and enforcing limits on the hosted application such that the hosted application is able to access only the native device capabilities identified in the limited set of capabilities.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method of claim 9, wherein the hosted application includes functionality configured to use device capabilities for which device capabilities have not been granted to the hosted application and wherein the container application prevents the hosted application from accessing the device capabilities that have not been granted to the hosted application.
  - 11. The method of claim 9, wherein at least one of the capabilities in the set of capabilities comprises a capability for a limited portion of a file system such that the hosted application is limited to accessing only the limited portion of the file system without being able to access other portions of the file system.
  - 12. The method of claim 9, wherein at least one of the capabilities in the set of capabilities comprises a capability for accessing or controlling device hardware including at least one of a camera, a microphone, communication hardware, or location hardware.
  - 13. The method of claim 9, further comprising revoking access to one or more of the capabilities in the set of capabilities.
  - 14. The method of claim 13, further comprising determining that an attempt to uninstall the hosted application has occurred, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that an attempt to uninstall the hosted application has occurred.
  - 15. The method of claim 13, further comprising determining that the hosted application is associated with a virus infection, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that the hosted application is associated with a virus infection.
  - 16. The method of claim 13, further comprising determining that policy has been changed, and wherein revoking access to one or more of the capabilities in the set of capabilities is performed as a result of determining that policy has been changed.

17. A computing device comprising:
- one or more cameras;
  
  one or more microphones;
  
  one or more pieces of communication hardware;
  
  one or more pieces of location hardware;
  
  a file system;
  
  a container application coupled to the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system, wherein the container application is configured to access computing device capabilities associated with the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system; and
  
  a script based hosted application configured to be executed by the container application, wherein the container application is configured to;
  
  create a hosting manager, the hosting manager implemented completely within a native context of the device, and provide information identifying the computing device capabilities to the hosting manager;
  
  the container application preventing the hosted application from directly accessing any of the native device capabilities;
  
  to provide access to the limited set of capabilities, for the computing device capabilities, identify and provide plugins which provide access to the computing device capabilities to the hosted application, the plugins providing a transport layer between the container application and the hosted application which provides a connection between the a native context associated with the container application and a hosted application context such that the hosted application can communicate with the computing device capabilities through the plugins and the hosting manager, each plugin having a container part executing within the container application and an outside part executing within the native context, wherein the container part communicates with the outside part through messages and wherein, before allowing access to any native device capability, the outside part verifies permissions of the hosted application to access the any native device capability; and
  
  limit capabilities associated with the one or more cameras, one or more microphones, one or more pieces of communication hardware, one or more pieces of location hardware and the file system to the hosted application even when the hosted application includes functionality for accessing capabilities from which it is limited.
- View Dependent Claims (18, 19, 20)
- - 18. The computing device of claim 17, further comprising a central portal coupled to the container application, wherein the central portal comprises a correlation of hosted applications and device capabilities, such that the hosted application is able to identify from the central portal what device capabilities should be granted to hosted applications.
  - 19. The computing device of claim 18, wherein the hosted application is configured to create a hosting manager using the correlation from the central portal, wherein the hosting manager is configured to permit or deny requests from hosted applications.
  - 20. The computing device of claim 17, further comprising a plugin layer configured to allow the hosted applications to access device capabilities.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Ilaiwi, Faisal Khaled Faisal, Phelps, Bryan Thomas, Elsayed, Yasser, Ponath, Christoph Rolf
Primary Examiner(s)
Lanier, Benjamin E

Application Number

US15/252,012
Publication Number

US 20180060567A1
Time in Patent Office

1,309 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/6218   to a system of files or obj...

G06F 2221/033   Test or assess software

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/455   Emulation; Interpretation; ...

Isolating an application running inside a native container application

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Isolating an application running inside a native container application

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links